diff --git a/ChangeLog b/ChangeLog
index ff1cf8c79..51c38fd5f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -9,6 +9,12 @@
    - stevesk@cvs.openbsd.org 2001/04/09 00:42:05
      [sftp.1]
      spelling
+   - markus@cvs.openbsd.org 2001/04/09 15:12:23
+     [ssh-add.c]
+     passphrase caching: ssh-add tries last passphrase, clears passphrase if
+     not successful and after last try.
+     based on discussions with espie@, jakob@, ... and code from jakob@ and
+     wolfgang@wsrcc.com
 
 20010409
  - (stevesk) use setresgid() for setegid() if needed
@@ -4978,4 +4984,4 @@
  - Wrote replacements for strlcpy and mkdtemp
  - Released 1.0pre1
 
-$Id: ChangeLog,v 1.1090 2001/04/10 02:43:57 mouring Exp $
+$Id: ChangeLog,v 1.1091 2001/04/10 02:45:32 mouring Exp $
diff --git a/ssh-add.c b/ssh-add.c
index eaa773816..f887455bf 100644
--- a/ssh-add.c
+++ b/ssh-add.c
@@ -35,7 +35,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: ssh-add.c,v 1.32 2001/04/08 13:03:00 markus Exp $");
+RCSID("$OpenBSD: ssh-add.c,v 1.33 2001/04/09 15:12:23 markus Exp $");
 
 #include <openssl/evp.h>
 
@@ -55,6 +55,18 @@ extern char *__progname;
 char *__progname;
 #endif
 
+/* we keep a cache of one passphrases */
+static char *pass = NULL;
+void
+clear_pass(void)
+{
+	if (pass) {
+		memset(pass, 0, strlen(pass));
+		xfree(pass);
+		pass = NULL;
+	}
+}
+
 void
 delete_file(AuthenticationConnection *ac, const char *filename)
 {
@@ -136,7 +148,7 @@ add_file(AuthenticationConnection *ac, const char *filename)
 {
 	struct stat st;
 	Key *private;
-	char *comment = NULL, *askpass = NULL, *pass;
+	char *comment = NULL, *askpass = NULL;
 	char buf[1024], msg[1024];
 	int interactive = isatty(STDIN_FILENO);
 
@@ -155,7 +167,12 @@ add_file(AuthenticationConnection *ac, const char *filename)
 	private = key_load_private(filename, "", &comment);
 	if (comment == NULL)
 		comment = xstrdup(filename);
+	/* try last */
+	if (private == NULL && pass != NULL)
+		private = key_load_private(filename, pass, NULL);
 	if (private == NULL) {
+		/* clear passphrase since it did not work */
+		clear_pass();
 		printf("Need passphrase for %.200s\n", filename);
 		if (!interactive && askpass == NULL) {
 			xfree(comment);
@@ -175,10 +192,9 @@ add_file(AuthenticationConnection *ac, const char *filename)
 				return;
 			}
 			private = key_load_private(filename, pass, &comment);
-			memset(pass, 0, strlen(pass));
-			xfree(pass);
 			if (private != NULL)
 				break;
+			clear_pass();
 			strlcpy(msg, "Bad passphrase, try again", sizeof msg);
 		}
 	}
@@ -280,6 +296,7 @@ main(int argc, char **argv)
 		else
 			add_file(ac, buf);
 	}
+	clear_pass();
 	ssh_close_authentication_connection(ac);
 	exit(0);
 }