This is an attempt to make the ssh-* man pages more exact regarding SSH_ASKPASS, when used for ssh-agent key confirmation.
The point I'm making is that the relevant SSH_ASKPASS environment variable is not that of ssh-add(1) (apart from when ssh-add is actually asking for a passphrase). On a sidenote, I think I'd prefer a 'SSH_CONFIRM' variable or somesuch (falling back to SSH_ASKPASS), but maybe we don't want to pollute the environment any further. /Alexander Index: ssh-add.1 =================================================================== RCS file: /cvs/src/usr.bin/ssh/ssh-add.1,v retrieving revision 1.58 diff -u -p -r1.58 ssh-add.1 --- ssh-add.1 3 Dec 2012 08:33:02 -0000 1.58 +++ ssh-add.1 21 Jul 2013 01:09:49 -0000 @@ -84,14 +84,10 @@ to work. The options are as follows: .Bl -tag -width Ds .It Fl c -Indicates that added identities should be subject to confirmation before +Indicates that +.Xr ssh-agent 1 +should ask for confirmation before added identities are being used for authentication. -Confirmation is performed by the -.Ev SSH_ASKPASS -program mentioned below. -Successful confirmation is signaled by a zero exit status from the -.Ev SSH_ASKPASS -program, rather than text entered into the requester. .It Fl D Deletes all identities from the agent. .It Fl d Index: ssh-agent.1 =================================================================== RCS file: /cvs/src/usr.bin/ssh/ssh-agent.1,v retrieving revision 1.53 diff -u -p -r1.53 ssh-agent.1 --- ssh-agent.1 21 Nov 2010 01:01:13 -0000 1.53 +++ ssh-agent.1 21 Jul 2013 01:09:49 -0000 @@ -161,6 +161,18 @@ Later .Xr ssh 1 looks at these variables and uses them to establish a connection to the agent. .Pp +If confirmation before using a key is requested by +.Xr ssh-add 1 , +it is performed by the program specified in the +.Ev SSH_ASKPASS +environment variable, or +.Xr ssh-askpass 1 +if +.Ev SSH_ASKPASS +is not set. +Successful confirmation is signaled by a zero exit status, and that the +first line of the program's output is empty or the string "yes". +.Pp The agent will never send a private key over its request channel. Instead, operations that require a private key will be performed by the agent, and the result will be returned to the requester. Index: ssh_config.5 =================================================================== RCS file: /cvs/src/usr.bin/ssh/ssh_config.5,v retrieving revision 1.166 diff -u -p -r1.166 ssh_config.5 --- ssh_config.5 27 Jun 2013 14:05:37 -0000 1.166 +++ ssh_config.5 21 Jul 2013 01:09:49 -0000 @@ -286,7 +286,7 @@ will cause ssh to listen for control connections, but require confirmation using the .Ev SSH_ASKPASS program before they are accepted (see -.Xr ssh-add 1 +.Xr ssh-agent 1 for details). If the .Cm ControlPath