ssh-add - Adds keys to the authentication agent.


ssh-add [-c] [-d] [-D] [-h] [-l] [-L] [-p] [-t timeout] [-U] [-V] [-x] [file1 file2 ...]


Use ssh-add to add identities to the authentication agent (ssh-agent). The agent must be running. You are prompted for a passphrase for any passphrase-protected key.

Specifying a key file is optional. If you don't specify any options or key files, Reflection for Secure IT reads your identification file (~/.ssh2/identification by default) and adds all the keys identified using the IDKey keyword. (To add all the keys identified using the CertKey keyword, use the -x option with no files specified.) For example, to start the agent in your current shell and load it with the keys in your identification file, use the following command sequence:

eval `ssh-agent`


Note: If you use X11, call ssh-add with '< /dev/null' to activate the ssh-askpass prompting window. This window is used for passphrase prompts.


Options are available in both a single-character form (such as o) and a descriptive equivalent (‑‑option). Single characters are shown here. To view the descriptive equivalents, use the h command line option.


Specifies that agent should ask for confirmation before using a key.


Removes one or more specified keys from the agent. Use the file argument to specify the key file(s).


Removes all identities from the agent.


Displays a brief summary of command options.


Lists all the identities currently loaded in the key agent.


Locks the key agent. You are prompted for a password, which you will need to use to unlock the agent. Use -U to unlock.


Reads the passphrase from stdin. This may be done over a pipe.

-t <timeout>

Sets a timeout for the key. Use zero (0) to set no limit. Keys are deleted after the specified timeout.

By default, the timeout value is set in minutes. You can specify other units using this syntax:


Where unit can be: s (seconds), m (minutes), h (hours), d (days), or w (weeks). (Upper or lower case units are both accepted with the same meaning.) For example:

3600s = 3600 seconds (1 hour)

2w = 2 weeks

2d4h = 2 days and 4 hours


Unlocks an agent that has been locked using -L. You are prompted for the required password.


Displays product name and version information and exits. If other options are specified on the command line, they are ignored.


Specifies that the key files to be added are associated with X.509 certificates. If you use -x without specifying a file or files, Reflection for Secure IT reads your identification file (~/.ssh2/identification by default) and adds all the keys identified using the CertKey keyword. Certificates must be in the same directory as the associated private key and use the same base name with a .crt file extension.


Copyright (C) 2010 Attachmate Corporation


ssh(1), ssh2_config(5), ssh-keygen(1), scp(1), sftp(1), ssh-agent(1), sshd(8), sshd2_config(5), ssh-certview(1),ssh-certtool(1), pkid(8), pki_config(5), pki_mapfile(5), pki-val(1)

Additional Reflection for Secure IT documentation is available online from the Attachmate documentation web page:

And from the technical note library: