secsh-add, ssh-add adds RSA or DSA identities to the authentication agent	Command
	SYNOPSIS DESCRIPTION Options FILES ENVIRONMENT VARIABLES AUTHORS PORTABILITY NOTES AVAILABILITY SEE ALSO

---

SYNOPSIS

secsh-add [-CcDdKkLlqvXx] [-E fingerprint_hash] [-H hostkey_file] [-h destination_constraint] [-S provider] [-t life] [file ...]

secsh-add [-Cv] [certificate ...]

secsh-add -s reader

secsh-add -e reader

ssh-add [-CcDdKkLlqvXx] [-E fingerprint_hash] [-H hostkey_file] [-h destination_constraint] [-S provider] [-t life] file...

ssh-add [-Cv] [certificate ...]

ssh-add -s reader

ssh-add -e reader

---

DESCRIPTION

secsh-add adds private key identities to the authentication agent, secsh-agent. When run without arguments, it adds the files $USERPROFILE/.ssh/id_rsa, $USERPROFILE/.ssh/id_ecdsa, $USERPROFILE/.ssh/id_ecdsa_sk, $USERPROFILE/.ssh/id_ed25519, $USERPROFILE/.ssh/id_ed25519_sk, and $USERPROFILE/.ssh/id_dsa, After loading a private key, secsh-add will try to load corresponding certificate information from the filename obtained by appending -cert.pub to the name of the private key file. Alternative file names can be given on the command line.

If any file requires a passphrase, secsh-add asks for the passphrase from the user. The passphrase is read from the user's tty. secsh-add retries the last passphrase if multiple identity files are given.

The authentication agent must be running and must be an ancestor of the current process for secsh-add to work.

You can also call secsh-add as ssh-add.

Options

-C 

When loading keys into or deleting keys from the agent, process certificates only and skip plain keys.

-c 

Indicates that added identities should be subject to confirmation before being used for authentication. Confirmation is performed by secsh-askpass. Successful confirmation is signaled by a zero exit status from secsh-askpass, rather than text entered into the requester.

-d 

Instead of adding identities, removes identities from the agent. When secsh-add is run without arguments, the keys for the default identities and their corresponding certificates will be removed. Otherwise, the argument list is interpreted as a list of paths to public key files to specify keys and certificates to be removed from the agent. When no public key is found at a given path, secsh_add appends .pub and retry. If the argument list consists of - then secsh-add will read public keys to be removed from standard input.

-D 

Deletes all identities from the agent.

-E fingerprint_hash 

Specifies the hash algorithm used when displaying key fingerprints. Valid options are: md5 and sha256. The default is sha256.

-e reader 

Removes key in smartcard reader.

-H hostkey_file 

Specifies a known hosts file to look up hostkeys when using destination-constrained keys via the -h flag. This option may be specified multiple times to allow multiple files to be searched. If no files are specified, ssh-add will use the default known hosts files: ~/.ssh/known_hosts, ~/.ssh/known_hosts2, $ROOTDIR/etc/ssh/ssh_known_hosts, and $ROOTDIR/etc/ssh/ssh_known_hosts2.

-h destination_constraint 

When adding keys, constrain them to be usable only through specific hosts or to specific destinations.

Destination constraints of the form `[user@]dest-hostname' permit use of the key only from the origin host (the one running secsh-agent) to the listed destination host, with optional user name.

Constraints of the form src-hostname>[user@]dst-hostname allow a key available on a forwarded secsh-agent to be used through a particular host (as specified by src-hostname) to authenticate to a further host, specified by dst-hostname.

Multiple destination constraints may be added when loading keys. When attempting authentication with a key that has destination constraints, the whole connection path, including secsh-agent forwarding, is tested against those constraints and each hop must be permitted for the attempt to succeed. For example, if key is forwarded to a remote host, host-b, and is attempting authentication to another host, host-c, then the operation will be successful only if host-b was permitted from the origin host and the subsequent host-b>host-c hop is also permitted by destination constraints.

Hosts are identified by their host keys, and are looked up from known hosts files by secsh-add. Wildcards patterns may be used for hostnames and certificate host keys are supported. By default, keys added by secsh-add are not destination constrained.

Destination constraints were added in OpenSSH release 8.9. Support in both the remote SSH client and server is required when using destination-constrained keys over a forwarded secsh-agent channel.

It is also important to note that destination constraints can only be enforced by secsh-agent when a key is used, or when it is forwarded by a cooperating secsh. Specifically, it does not prevent an attacker with access to a remote SSH_AUTH_SOCK from forwarding it again and using it on a different host (but only to a permitted destination).

-K 

Load resident keys from a FIDO authenticator.

-k 

When loading keys into or deleting keys from the agent, process plain private keys only and skip certificates.

-L 

Lists public key parameters of all identities currently represented by the agent.

-l 

Lists fingerprints of all identities currently represented by the agent.

-q 

Be quiet after a successful operation.

-S 

Specifies a path to a library that will be used when adding FIDO authenticator-hosted keys, overriding the default of using the internal USB HID support.

-s reader 

Adds key in smartcard reader. Certificate files may optionally be listed as command-line arguments. If these are present, then they will be loaded into the agent using any corresponding private keys loaded from the smartcard token.

-t life 

Sets a maximum lifetime when adding identities to an agent. The lifetime may be specified in seconds or in a time format specified in secshd.

-X 

Unlocks the agent.

-x 

Locks the agent with a password.

---

FILES

$USERPROFILE/.ssh/id_dsa 

Contains the DSA authentication identity of the user.

$USERPROFILE/.ssh/id_ecdsa 

Contains the ECDSA authentication identity of the user.

$USERPROFILE/.ssh/id_ecdsa_sk 

Contains the authenticator-hosted ECDSA authentication identity of the user.

$USERPROFILE/.ssh/id_ed25519 

Contains the ED25519 authentication identity of the user.

$USERPROFILE/.ssh/id_ed25519_sk 

Contains the authenticator-hosted ED25519 authentication identity of the user.

$USERPROFILE/.ssh/id_rsa 

Contains the RSA authentication identity of the user.

Identity files should not be readable by anyone but the user. Note that secsh-add ignores identity files if they are accessible by others.

---

ENVIRONMENT VARIABLES

DISPLAY 

SSH_ASKPASS 

SSH_ASKPASS_REQUIRE 

If secsh-add needs a passphrase, it will read the passphrase from the current terminal if it was run from a terminal. If secsh-add does not have a terminal associated with it but DISPLAY and SSH_ASKPASS are set, it will execute the program specified by SSH_ASKPASS (by default secsh-askpass and open an X11 window to read the passphrase. This is particularly useful when calling secsh-add from a .Xsession or related script.

SSH_ASKPASS_REQUIRE allows further control over the use of an askpass program. If this variable is set to never then secsh-add will never attempt to use one. If it is set to prefer, then secsh-add will prefer to use the askpass program instead of the TTY when requesting passwords. Finally, if the variable is set to force, then the askpass program will be used for all passphrase input regardless of whether DISPLAY is set.

SSH_AUTH_SOCK 

Identifies the path of a UNIX-domain socket used to communicate with the agent.

SSH_SK_PROVIDER 

Specifies a path to a library that will be used when loading any FIDO authenticator-hosted keys, overriding the default of using the built-in USB HID support.

---

AUTHORS

OpenSSH is a derivative of the original and free ssh 1.2.12 release by Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo de Raadt and Dug Song removed many bugs, re-added newer features and created OpenSSH. Markus Friedl contributed the support for SSH protocol versions 1.5 and 2.0.

---

PORTABILITY

All UNIX systems. Windows 10. Windows Server 2016. Windows Server 2019. Windows 11. Windows Server 2022. Windows Server 2025.

---

NOTES

The secsh-add utility, by default, loads keys from the $USERPROFILE directory on 10/2016/2019/11/2022/2025 platforms instead of ~/. This was done because the ~/ directory might not be available for the case of a domain machine that cannot contact a domain controller. Note that the secure shell service continues to use the ~/.ssh directory to store configuration files.

Using SecurityKeyProvider(FIDO) requires the use of an external DLL that will act as an interface between OpenSSH and Windows Hello via a set of COM interfaces that Microsoft provides. This interface DLL is not currently provided by PTC, but there are 3rd parties that provide templates that can be used to develop your own.

---

AVAILABILITY

PTC MKS Toolkit for System Administrators
PTC MKS Toolkit for Developers
PTC MKS Toolkit for Interoperability
PTC MKS Toolkit for Professional Developers
PTC MKS Toolkit for Professional Developers 64-Bit Edition
PTC MKS Toolkit for Enterprise Developers
PTC MKS Toolkit for Enterprise Developers 64-Bit Edition

---

SEE ALSO

Commands:

secsh, secsh-agent, secsh-askpass, secshd, secsh-keygen, secsh-keysign

PTC MKS Toolkit Connectivity Solutions Guide

---

PTC MKS Toolkit 10.5 Documentation Build 40.