| SSH-ADD(1) | General Commands Manual | SSH-ADD(1) | 
ssh-add —
| ssh-add | [ -cCDdKkLlqvXx] [-Efingerprint_hash] [-Hhostkey_file] [-hdestination_constraint] [-Sprovider] [-tlife] [file ...] | 
| ssh-add | -spkcs11
      [-vC] [certificate ...] | 
| ssh-add | -epkcs11 | 
| ssh-add | -Tpubkey ... | 
ssh-add adds private key identities to the
  authentication agent,
  ssh-agent(1). When run
  without arguments, it adds the files ~/.ssh/id_rsa,
  ~/.ssh/id_ecdsa,
  ~/.ssh/id_ecdsa_sk,
  ~/.ssh/id_ed25519,
  ~/.ssh/id_ed25519_sk, and
  ~/.ssh/id_dsa. After loading a private key,
  ssh-add will try to load corresponding certificate
  information from the filename obtained by appending
  -cert.pub to the name of the private key file.
  Alternative file names can be given on the command line.
If any file requires a passphrase, ssh-add
    asks for the passphrase from the user. The passphrase is read from the
    user's tty. ssh-add retries the last passphrase if
    multiple identity files are given.
The authentication agent must be running and the
    SSH_AUTH_SOCK environment variable must contain the
    name of its socket for ssh-add to work.
The options are as follows:
-c-C-D-dssh-add has been run without arguments, the keys
      for the default identities and their corresponding certificates will be
      removed. Otherwise, the argument list will be interpreted as a list of
      paths to public key files to specify keys and certificates to be removed
      from the agent. If no public key is found at a given path,
      ssh-add will append .pub
      and retry. If the argument list consists of “-” then
      ssh-add will read public keys to be removed from
      standard input.-E
    fingerprint_hash-e
    pkcs11-H
    hostkey_file-h flag. This
      option may be specified multiple times to allow multiple files to be
      searched. If no files are specified, ssh-add will
      use the default
      ssh_config(5) known
      hosts files: ~/.ssh/known_hosts,
      ~/.ssh/known_hosts2,
      /etc/ssh/ssh_known_hosts, and
      /etc/ssh/ssh_known_hosts2.-h
    destination_constraintDestination constraints of the form ‘[user@]dest-hostname’ permit use of the key only from the origin host (the one running ssh-agent(1)) to the listed destination host, with optional user name.
Constraints of the form ‘src-hostname>[user@]dst-hostname’ allow a key available on a forwarded ssh-agent(1) to be used through a particular host (as specified by ‘src-hostname’) to authenticate to a further host, specified by ‘dst-hostname’.
Multiple destination constraints may be added when loading keys. When attempting authentication with a key that has destination constraints, the whole connection path, including ssh-agent(1) forwarding, is tested against those constraints and each hop must be permitted for the attempt to succeed. For example, if key is forwarded to a remote host, ‘host-b’, and is attempting authentication to another host, ‘host-c’, then the operation will be successful only if ‘host-b’ was permitted from the origin host and the subsequent ‘host-b>host-c’ hop is also permitted by destination constraints.
Hosts are identified by their host keys, and are looked up
        from known hosts files by ssh-add. Wildcards
        patterns may be used for hostnames and certificate host keys are
        supported. By default, keys added by ssh-add are
        not destination constrained.
Destination constraints were added in OpenSSH release 8.9. Support in both the remote SSH client and server is required when using destination-constrained keys over a forwarded ssh-agent(1) channel.
It is also important to note that destination constraints can
        only be enforced by
        ssh-agent(1) when a key
        is used, or when it is forwarded by a cooperating
        ssh(1). Specifically, it does
        not prevent an attacker with access to a remote
        SSH_AUTH_SOCK from forwarding it again and using
        it on a different host (but only to a permitted destination).
-K-k-L-l-q-S
    provider-s
    pkcs11-T
    pubkey ...-t
    life-vssh-add to print debugging
      messages about its progress. This is helpful in debugging problems.
      Multiple -v options increase the verbosity. The
      maximum is 3.-X-xDISPLAY,
    SSH_ASKPASS and SSH_ASKPASS_REQUIREssh-add needs a passphrase, it will read the
      passphrase from the current terminal if it was run from a terminal. If
      ssh-add does not have a terminal associated with
      it but DISPLAY and
      SSH_ASKPASS are set, it will execute the program
      specified by SSH_ASKPASS (by default
      “ssh-askpass”) and open an X11 window to read the
      passphrase. This is particularly useful when calling
      ssh-add from a .xsession
      or related script.
    SSH_ASKPASS_REQUIRE allows further
        control over the use of an askpass program. If this variable is set to
        “never” then ssh-add will never
        attempt to use one. If it is set to “prefer”, then
        ssh-add will prefer to use the askpass program
        instead of the TTY when requesting passwords. Finally, if the variable
        is set to “force”, then the askpass program will be used
        for all passphrase input regardless of whether
        DISPLAY is set.
SSH_AUTH_SOCKSSH_SK_PROVIDERIdentity files should not be readable by anyone but the user. Note
    that ssh-add ignores identity files if they are
    accessible by others.
ssh-add is unable to contact the authentication agent.
| December 18 2023 | NetBSD 9.4 |