Exit status on `ssh-add` failure
Damien Miller
djm at mindrot.org
Thu May 21 20:23:07 AEST 2026
On Wed, 20 May 2026, Wiktor Kwapisiewicz via openssh-unix-dev wrote:
> Hi,
>
> I'm developing a library for building custom SSH agents and noticed that
> OpenSSH's `ssh-add` doesn't return non-zero exit code on some failures:
>
> $ SSH_AUTH_SOCK=/tmp/test.sock ssh-add client
> Identity added: client (test-client)
> Certificate client-cert.pub (client) add failed: communication with agent
> failed
> $ echo $?
> 0
>
> The certificate has not been added due to agent protocol error but ssh-add
> still returned exit code 0.
>
> The EXIT STATUS section of the manpage for ssh-add states: "Exit status is
> 0 on success, 1 if the specified command fails, and 2 if ssh-add is unable to
> contact the authentication agent." but it doesn't mention what happens when
> the command partially succeeds (identity has been added but the certificate
> not).
>
> Is that the intended behavior of ssh-add?
This is intentional but somewhat legacy, dating from when certificate support
was fairly rare in ssh-agent.
More information about the openssh-unix-dev
mailing list