Exit status on `ssh-add` failure
Wiktor Kwapisiewicz
wiktor at metacode.biz
Tue Jun 16 23:08:00 AEST 2026
On 2.06.2026 10:40, Wiktor Kwapisiewicz via openssh-unix-dev wrote:
> On 2.06.2026 01:22, Damien Miller wrote:
>> try this
>>
>> diff --git a/ssh-add.c b/ssh-add.c
>> index 2788f7e..410277b 100644
>> --- a/ssh-add.c
>> +++ b/ssh-add.c
>> @@ -392,12 +392,15 @@ add_file(int agent_fd, const char *filename, int
>> key_only, int cert_only,
>> /* Now try to add the certificate flavour too */
>> xasprintf(&certpath, "%s-cert.pub", filename);
>> if ((r = sshkey_load_public(certpath, &cert, NULL)) != 0) {
>> - if (r != SSH_ERR_SYSTEM_ERROR || errno != ENOENT)
>> + if (r != SSH_ERR_SYSTEM_ERROR || errno != ENOENT) {
>> + ret = -1;
>> error_r(r, "Failed to load certificate \"%s\"",
>> certpath);
>> + }
>> goto out;
>> }
>> + ret = -1; /* cert errors after here yield a nonzero exit status */
>> if (!sshkey_equal_public(cert, private)) {
>> error("Certificate %s does not match private key %s",
>> certpath, filename);
>> @@ -429,6 +432,7 @@ add_file(int agent_fd, const char *filename, int
>> key_only, int cert_only,
>> goto out;
>> }
>> /* success */
>> + ret = 0;
>> if (!qflag) {
>> fprintf(stderr, "Certificate added: %s (%s)\n", certpath,
>> private->cert->key_id);
>
> Yes, this one works in both cases: returns exit code 1 when cert
> addition fails (but the key succeeded) and returns exit code 0 when
> everything works fine.
>
> As far as I'm concerned this is fine.
Sorry for prodding again but I don't see this applied (at least on the
mirror: https://github.com/openssh/openssh-portable/commits/master/ )
and maybe this just fell through the cracks. I'd really appreciate
merging this change.
Thank you for your time!
Kind regards,
Wiktor
More information about the openssh-unix-dev
mailing list