ssh-add Command Line Options

The syntax for ssh-add is:

ssh-add [-c] [-d] [-D] [-h] [-l] [-L] [-p] [-t timeout] [-U] [-V] [file1 file2 ...]

Use file1, file2... to specify keys to add to the agent. Specifying a key file is optional. If don't specify any key files, ssh-add adds all the keys specified in your identification file (which is ~/.ssh2/identification by default)

Options are available in both a single-character form (such as ‑o) and a descriptive equivalent (‑‑option). Single characters are shown here. To view the descriptive equivalents, use the ‑h command line option.


Specifies that agent should ask for confirmation before using a key.


Removes one or more specified keys from the agent. Use the file argument to specify the key file(s).


Removes all identities from the agent.


Displays a brief summary of command options.


Lists all the identities currently loaded in the key agent.


Locks the key agent. You are prompted for a password, which you will need to use to unlock the agent. Use -U to unlock.


Reads the passphrase from stdin. This may be done over a pipe.

-t <timeout>

Sets a timeout for the key. Use zero (0) to set no limit. Keys are deleted after the specified timeout.

By default, the timeout value is set in minutes. You can specify other units using this syntax:


Where unit can be: s (seconds), m (minutes), h (hours), d (days), or w (weeks). (Upper or lower case units are both accepted with the same meaning.) For example:

3600s = 3600 seconds (1 hour)

2w = 2 weeks

2d4h = 2 days and 4 hours


Unlocks an agent that has been locked using -L. You are prompted for the required password.


Displays product name and version information and exits. If other options are specified on the command line, they are ignored.


Specifies that the key files to be added are associated with X.509 certificates. If you use -x without specifying a file or files, Reflection for Secure IT reads your identification file (~/.ssh2/identification by default) and adds all the keys identified using the CertKey keyword. Certificates must be in the same directory as the associated private key and use the same base name with a .crt file extension.