From: noodle@pastanoggin.com
Subject: Re: ssh-add: print error "The agent has no identities." to stderr instead of stdout
To: noodle@pastanoggin.com
Cc: tech@openbsd.org
Date: Thu, 29 Jan 2026 20:24:50 +0200

Quoth noodle@pastanoggin.com:
> I encountered this while writing a script that has the line:
>  
> keys=$(ssh-add -L) || exit 1
> 
> When the user had no keys stored in ssh-agent, the script exited
> silently without printing "The agent has no identities."; The error
> message was instead stored in the variable "keys" which is unnatural.
> Other similar errors in the ssh-add.c log to stderr so it's safe to
> align this printf too.
> 
> Index: ssh-add.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/ssh/ssh-add.c,v
> retrieving revision 1.182
> diff -u -p -r1.182 ssh-add.c
> --- ssh-add.c   6 Nov 2025 01:31:11 -0000       1.182
> +++ ssh-add.c   8 Nov 2025 21:18:54 -0000
> @@ -519,7 +519,7 @@ list_identities(int agent_fd, int do_fp)
>                         fprintf(stderr, "error fetching identities: %s\n",
>                             ssh_err(r));
>                 else
> -                       printf("The agent has no identities.\n");
> +                       fprintf(stderr, "The agent has no identities.\n");
>                 return -1;
>         }
>         for (i = 0; i < idlist->nkeys; i++) {
> 

Sorry I forgot to CC the list on my messages to the nice people in the
replies.  Here they are for the record.  Sorry for the noise :)

Quoth David Leadbeater <dgl@dgl.cx>:
> On Sun, 9 Nov 2025 at 08:34, <noodle@pastanoggin.com> wrote:
> [...]
> > Other similar errors in the ssh-add.c log to stderr so it's safe to
> > align this printf too.
> 
> Many people rely on this being on stdout, I would not say this is safe.
> 
> For example, just a sample of dotfiles and such that it's trivial to
> search with GitHub:
> https://github.com/search?q=%2Fgrep+%28%3F%3A-.+%29%3F.%3FThe.agent.has.no.ident%2F&type=code
> (To save clicking, 437 matches, some do redirect stderr, but most don't.)

sucks that github needs an account for search.  alr logged in and yah
wow that's a lot.  sorry i didn't account for that.  idk much about the openssh
development process but it seems breaking functionality is not worth
it in this case even if it'll make ssh-add more correct

Quoth Damien Miller <djm@mindrot.org>:
> On Mon, 10 Nov 2025, David Leadbeater wrote:
> 
> > On Sun, 9 Nov 2025 at 08:34, <noodle@pastanoggin.com> wrote:
> > [...]
> > > Other similar errors in the ssh-add.c log to stderr so it's safe to
> > > align this printf too.
> > 
> > Many people rely on this being on stdout, I would not say this is safe.
> > 
> > For example, just a sample of dotfiles and such that it's trivial to
> > search with GitHub:
> > https://github.com/search?q=%2Fgrep+%28%3F%3A-.+%29%3F.%3FThe.agent.has.no.ident%2F&type=code
> > (To save clicking, 437 matches, some do redirect stderr, but most don't.)
> 
> Yeah, checking exit status is reliable too. 0 = identities found,
> 1 = no identities, 2 = couldn't communicate with agent / other error.
> 
> -d
> 

Yup, I just let it do the error reporting on my behalf and exit if it's non-zero instead:

keys=$(ssh-add -L) || { echo -n "$keys" 1>&2; exit 1; }

It's hacky but whatever works ig :b

--
noodle