1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
|
#compdef ssh slogin=ssh scp ssh-add ssh-agent ssh-copy-id ssh-keygen ssh-keyscan sftp
# TODO: sshd, ssh-keysign
_ssh () {
local curcontext="$curcontext" state line expl suf arg ret=1
local args sigargs common common_transfer options algopt tmp p1 file cmn cmds sdesc tdesc
typeset -A opt_args tsizes
common=(
'(-6)-4[force ssh to use IPv4 addresses only]'
'(-4)-6[force ssh to use IPv6 addresses only]'
'-A[enable forwarding of the authentication agent connection]'
'-C[compress data]'
'-c+[select encryption cipher]:encryption cipher:->ciphers'
'-F+[specify alternate config file]:config file:_files'
'*-i+[select identity file]:SSH identity file:_files -g "*(-.^AR)"'
'*-o+[specify extra options]:option string:->option'
)
common_transfer=(
'(-O)-D+[connect directly to a local sftp server]:sftp server path:_command_names -e'
'-J+[connect via a jump host]: :->userhost'
'-l+[limit used bandwidth]:bandwidth (Kbit/s)'
'-P+[specify port on remote host]:port number on remote host'
'-p[preserve modification times, access times and modes]'
'-q[disable progress meter and warnings]'
'-r[recursively copy directories (follows symbolic links)]'
'-S+[specify ssh program]:path to ssh:_command_names -e'
'-v[verbose mode]'
'(-O)*-X+[specify sftp protocol option]: : _values "sftp option"
"nrequests[set max concurrent SFTP read or write requests]\:requests [64]"
"buffer[set max buffer size for a single SFTP read/write operation]\: \:_numbers -l 0 -m 256K -d 32K -u bytes -f size \:B\:bytes \:K\:kilobytes"'
)
algopt='-E+[specify hash algorithm for fingerprints]:algorithm:(md5 sha256)'
case "$service" in
ssh)
(( $+words[(r)-[^-]#t*] )) && tdesc=' even if there is no controlling tty'
_arguments -C -s \
'(-A)-a[disable forwarding of authentication agent connection]' \
'-B+[bind to specified interface before attempting to connect]:interface:_net_interfaces' \
'(-P)-b+[specify interface to transmit on]:bind address:_bind_addresses' \
'-D+[specify a dynamic port forwarding]:dynamic port forwarding:->dynforward' \
'-e+[set escape character]:escape character (or `none'\''):' \
'-E+[append log output to file instead of stderr]:_files' \
'(-n)-f[go to background]' \
'-g[allow remote hosts to connect to local forwarded ports]' \
'-G[output configuration and exit]' \
'-I+[specify smartcard device]:device:_files' \
'-J+[connect via a jump host]: :->userhost' \
'-K[enable GSSAPI-based authentication and forwarding]' \
'-k[disable forwarding of GSSAPI credentials]' \
'*-L+[specify local port forwarding]:local port forwarding:->forward' \
'-l+[specify login name]:login name:_ssh_users' \
'-M[master mode for connection sharing]' \
'-m+[specify mac algorithms]: :->macs' \
"-N[don't execute a remote command]" \
'-n[redirect stdin from /dev/null]' \
'-O+[control an active connection multiplexing master process]:multiplex control command:((check\:"check master process is running" exit\:"request the master to exit" forward\:"request forward without command execution" stop\:"request the master to stop accepting further multiplexing requests" cancel\:"cancel existing forwardings with -L and/or -R" proxy))' \
'-P[use non privileged port]' \
'-p+[specify port on remote host]:port number on remote host' \
'(-v)*-q[quiet operation]' \
'*-R+[specify remote port forwarding]:remote port forwarding:->forward' \
'-S+[specify location of control socket for connection sharing]:path to control socket:_files' \
'-Q+[query parameters]:query option:((cipher\:"supported symmetric ciphers" cipher-auth\:"supported symmetric ciphers that support authenticated encryption" compression mac\:"supported message integrity codes" kex\:"key exchange algorithms" kex-gss\:"GSSAPI key exchange algorithms" key\:"key types" key-cert\:"certificate key types" key-plain\:"non-certificate key types" key-sig\:"all key types and signature algorithms" protocol-version\:"supported SSH protocol versions" sig\:"supported signature algorithms" help\:"show supported queries" HostbasedAcceptedAlgorithms HostKeyAlgorithms KexAlgorithms MACs PubkeyAcceptedAlgorithms))' \
'-s[invoke subsystem]' \
'(-t)-T[disable pseudo-tty allocation]' \
"(-T)*-t[force pseudo-tty allocation${tdesc}]" \
'-V[show version number]' \
'(-q)*-v[verbose mode (multiple increase verbosity, up to 3)]' \
'-W+[forward standard input and output to host]:stdinout forward:->hostport' \
'-w+[request tunnel device forwarding]:local_tun[\:remote_tun] (integer or "any"):' \
'(-x -Y)-X[enable (untrusted) X11 forwarding]' \
'(-X -Y)-x[disable X11 forwarding]' \
'(-x -X)-Y[enable trusted X11 forwarding]' \
'-y[send log info via syslog instead of stderr]' \
':remote host name:->userhost' \
'*::args:->command' "$common[@]" && ret=0
;;
scp)
_arguments -C -s \
'-3[copy through local host, not directly between the remote hosts]' \
"-B[batch mode (don't ask for passwords or passphrases)]" \
'(-D -X)-O[use the original SCP protocol instead of the SFTP protocol]' \
'-T[disable strict filename checking]' \
'*:file:->file' "$common[@]" "$common_transfer[@]" && ret=0
;;
ssh-add)
if [[ $OSTYPE != darwin* || $APPLE_SSH_ADD_BEHAVIOR == openssh ]]; then
args=(
'-K[load resident keys from a FIDO authenticator]'
)
else
[[ ${APPLE_SSH_ADD_BEHAVIOR:-macos} == macos ]] && args=(
'-A[add identities from keychain]'
'-K[update keychain when adding/removing identities]'
)
fi
[[ $OSTYPE == darwin<20->.* ]] && args+=(
'--apple-load-keychain[add identities from keychain]'
'--apple-use-keychain[update keychain when adding/removing identities]'
)
_arguments -C -s : $args \
'-c[identity is subject to confirmation via SSH_ASKPASS]' \
'-D[delete all identities]' \
'-d[remove identity]' \
$algopt \
'-e+[remove keys provided by the PKCS#11 shared library]:library:_files -g "*.(so|dylib)(|.<->)(-.)"' \
'*-H[specify a known hosts file to look up hostkeys]:known hosts file:_files' \
'*-h[constrain keys to specific hosts or destinations]:destination:->destinations' \
'-k[load plain private keys only and skip certificates]' \
'-K[load resident keys from a FIDO authenticator]' \
'-L[list public key parameters of all identities in the agent]'\
'-l[list all identities]' \
'-m+[specify minimum remaining signatures before maximum is changed]:number' \
'-M+[specify maximum number of signatures]:number' \
'-S+[use specified library when adding FIDO authenticator-hosted keys]:library:_files' \
'-s+[add keys provided by the PKCS#11 shared library]:library:_files -g "*.(so|dylib)(|.<->)(-.)"' \
'-t+[set maximum lifetime for identity]: :_numbers -u seconds "maximum lifetime" \:s\:seconds m\:minutes h\:hours d\:days w\:weeks' \
"-T[test usability of identity files' private keys]:*:public key file:_files -g '*.pub(-.)'" \
'*-v[verbose mode]' \
'-q[be quiet after a successful operation]' \
'-X[unlock the agent]' \
'-x[lock the agent with a password]' \
'*:SSH identity file:_files' && ret=0
;;
ssh-agent)
_arguments -s \
'(-k)-a+[specify UNIX-domain socket to bind agent to]:UNIX-domain socket:_files' \
'(-k -s)-c[force csh-style shell]' \
'(-k)-d[debug mode]' \
'(-k)-D[foreground mode]' \
"(-k)$algopt" \
'-k[kill current agent]' \
'(-k)-P[specify PKCS#11 shared library whitelist]:PKCS#11 library whitelist pattern' \
'(-k -c)-s[force sh-style shell]' \
'-t+[set default maximum lifetime for identities]: :_numbers -u seconds "maximum lifetime" \:s\:seconds m\:minutes h\:hours d\:days w\:weeks' \
'-v[verbose mode]' \
'*::command: _normal -p $service'
return
;;
ssh-keygen)
# options can be in any order but use ! to limit those shown for the first argument
(( CURRENT == 2 )) && p1='!'
args=( '!-z:number' )
options=(
application
'challenge\:path\:_files'
device
no-touch-required
resident
user
verify-required
'write-attestation\:path\:_files'
)
sdesc='certify keys with CA key'
if (( $+words[(r)-[IhUDnV]*] )); then
args=( '-z[specify serial number]:serial number' )
options=(
clear critical\:name extension\:name force-command\:command\:_cmdstring
no-agent-forwarding no-port-forwarding no-pty no-user-rc no-x11-forwarding
permit-agent-forwarding permit-port-forwarding permit-pty permit-user-rc
permit-x11-forwarding source-address\:source\ address
)
fi
(( $+words[(r)-[ku]] )) && args=( '-z[specify version number]:version number' ) &&
sdesc='specify CA public key file'
file=key
(( $+words[(r)-[FHR]] )) && file=known_hosts
if (( $+words[(r)-M*] )); then
file=input
args+=( '*:output file:_files' )
options=(
lines:number
'start-line\:line number'
checkpoint\:file:_files
'memory\:size (mbytes)'
'start\:start point (hex-value)'
generator\:value
)
fi
(( $+words[(r)-A] )) && file='prefix for host key'
if (( $+words[(r)-[kIQ]] )); then
file=krl
args+=( '*:file:_files' )
fi
if (( arg = $words[(I)-Y*] )); then
[[ $words[arg] = -Y?* ]] || (( arg++ ))
case ${words[arg]#-Y} in
^find-*) sigargs+=( "$p1-n+[specify namespace]:namespace" ) ;|
check*|find*|verify)
sigargs+=( "$p1-s+[specify signature file]:signature file:_files" )
;|
match*|verify) sigargs+=( '-I+[specify signer identity]:identity' ) ;|
sign) sigargs+=( '*:file:_files' ) ;;
verify)
args=()
sigargs+=( '-r+[specify revocation file]:revocation file:_files' )
;;
esac
fi
cmds=( -p -i -e -y -c -l -B -D -F -H -K -R -r -M -s -L -A -k -Q -Y ) # basic commands
cmn=( -a -b -P -N -C -l -m -O -v -w -Z ) # options common to many basic commands (except -f which is common to most)
cms=( -E -q -t -g -M -I -h -n -V -u -U ) # options specific to one basic command
tsizes=(
dsa 1024
ecdsa '256 384 521' # values appear in key names as listed with ssh -Q key - 521 really is correct
rsa '1024 2048 4096'
)
_arguments -s $args \
"${p1}(${${(@)cmds:#-[pcKAO]}} ${${(@)cms:#-[t]}} -O)-a+[specify number of rounds]:rounds [16]" \
"(${${(@)cmds:#-M}} -P ${${(@)cms:#-[MS]}})-b+[specify number of bits in key]:bits in key [2048]:"'compadd ${expl\:/-X/-x} ${_comp_mesg\:=-} ${=tsizes[${opt_args[create--t]\:-rsa}]}' \
"$p1(${${(@)cmds:#-[pc]}} -b $cms)-P+[provide old passphrase]:old passphrase" \
"(${${(@)cmds:#-p}} -v ${${(@)cms:#-[qt]}})-N+[provide new passphrase]:new passphrase" \
"(${${(@)cmds:#-c}} -v $cms)-C+[provide new comment]:new comment" \
"(-D -I -h -n -V -A)-f+[$file file]:$file file:_files" \
"$p1(${${(@)cmds:#-[FE]}} ${${(@)cmn:#-v}} ${${(@)cms:#-E}})-l[show fingerprint of key file]" \
"$p1(${${(@)cmds:#-[iep]}} $cms)-m+[specify conversion format]:format [RFC4716]:(PEM PKCS8 RFC4716)" \
"$p1*-O+[specify a key/value option]: : _values 'option' $options" \
"(${${(@)cmds:#-[lGT]}} ${${(@)cmn:#-[bv]}} -f)*-v[verbose mode]" \
"$p1(${${(@)cmds:#-K}} -P ${${(@)cms:#-[qt]}})-w+[specify library used when creating FISO authenticator-hosted keys]:library:_files -g '*.(so|dylib)(|.<->)(-.)'" \
"$p1(${${(@)cmds:#-p}} -l ${${(@)cms:#-[qt]}})-Z+[specify encryption cipher to use when writing a private key file]:cipher:compadd - $(_call_program ciphers ssh -Q cipher)" \
- '(commands)' \
"(-b -l -C -O -v -w)-p[change passphrase of private key file]" \
"(${${(@)cmn:#-m}})-i[import key to OpenSSH format]" \
"(${${(@)cmn:#-m}})-e[export key to SECSH file format]" \
"($cmn)-y[get public key from private key]" \
"(${${(@)cmn:#-[aCP]}})-c[change comment in private and public key files]" \
"($cmn)-B[show the bubblebabble digest of key]" \
"(-)-D+[download key stored in smartcard reader]:reader" \
"(${${(@)cmn:#-[lv]}})-F+[search for host in known_hosts file]:host:_ssh_hosts" \
"($cmn)-H[hash names in known_hosts file]" \
"(${${(@)cmn:#-[aw]}} -f)-K[download resident keys from a FIDO authenticator]" \
"($cmn)-R+[remove host from known_hosts file]:host:_ssh_hosts" \
"(${${(@)cmn:#-O}})-M+[moduli generation]:action:((
generate\:generate\ candidates\ for\ DH-GEX\ moduli
screen\:screen\ candidates\ for\ DH-GEX\ moduli
))" \
"($cmn)-L[print the contents of a certificate]" \
"(${${(@)cmn:#-a}})-A[generate host keys for all key types]" \
"($cmn)-Q[test whether keys have been revoked in a KRL]" \
- finger \
"$p1($cmn)$algopt" \
- create \
'(-P -l)-q[silence ssh-keygen]' \
"(-P -l)-t+[specify the type of the key to create]:key type:(rsa dsa ecdsa ed25519 ecdsa-sk ed25519-sk)" \
- dns \
"($cmn)-r[print DNS resource record]:hostname:_hosts" \
"$p1($cmn)-g[use generic DNS format]" \
- certify \
"($cmn)-s[$sdesc]:CA key:_files" \
"$p1($cmn -f -k -u)-I+[specify key identifier to include in certificate]:key id" \
"$p1($cmn -f -k -u)-h[generate host certificate instead of a user certificate]" \
"$p1($cmn -f -k -u -D)-U[indicate that CA key is held by ssh-agent]" \
"$p1($cmn -f -k -u -U)-D+[indicate the CA key is stored in a PKCS#11 token]:PKCS11 shared library:_files -g '*.(so|dylib)(|.<->)(-.)'" \
"$p1($cmn -f -k -u)-n+[specify user/host principal names to include in certificate]:principals" \
"$p1($cmn -f -u)-V+[specify certificate validity interval]:interval" \
"($cmn -I -h -n -D -O -U -V)-k[generate a KRL file]" \
"$p1($cmn -I -h -n -D -O -U -V)-u[update a KRL]" \
- signature \
"(${${(@)cmn:#-O}})-Y+[signature action]:action:((
find-principals\:find\ the\ principal\ associated\ with\ the\ public\ key\ of\ a\ signature
sign\:sign\ a\ file\ using\ SSH\ key
verify\:verify\ a\ signature\ generated\ using\ the\ sign\ option
check-novalidate\:check\ signature\ structure
match-principals\:find\ matching\ principal
))" \
$sigargs
return
;;
ssh-keyscan)
_arguments \
'(-6)-4[force ssh to use IPv4 addresses only]' \
'(-4)-6[force ssh to use IPv6 addresses only]' \
'-c[request certificates from target hosts instead of plain keys]' \
'-D[print keys found as SSHFP DNS records]' \
'*-f+[read hosts from file, one per line]:file:_files' \
'-H[hash all hostnames and addresses in the output]' \
'-O+[specify a key/value option]: : _values option
"hashalg[select a hash algorithm to use with -D]\:algorithm [both]\:(sha1 sha256)"' \
'-p+[specify port on remote host]:port number on remote host' \
'-T+[specify timeout]: :_numbers -u seconds -d 5 timeout \:s\:seconds m\:minutes h\:hours d\:days w\:weeks' \
'-t+[specify key types to fetch from scanned hosts]:key type:_sequence compadd - rsa dsa ecdsa ed25519' \
'-v[verbose mode]'
return
;;
sftp)
_arguments -C -s \
'-a[attempt to continue interrupted transfers]' \
'-B+[specify buffer size]:buffer size (bytes) [32768]' \
'-b+[specify batch file to read]:batch file:_files' \
'-f[request that files be flushed immediately after transfer]' \
'-N[disable implicit quiet mode set by -b]' \
'-R+[specify number of outstanding requests]:number of requests [64]' \
'-s+[specify SSH2 subsystem or path to sftp server on the remote host]:subsystem/path' \
'1:file:->rfile' '*:file:->file' "$common[@]" "$common_transfer[@]" && ret=0
;;
ssh-copy-id)
_arguments \
'-i+[select identity file]:SSH identity file:_files -g "*(-.^AR)"' \
'-f[copy keys without trying to check if they are already installed]' \
'-n[dry run - no keys are actually copied]' \
'*-o+[specify ssh options]:option string:->option' \
'-p+[specify port on remote host]:port number on remote host' \
'(- 1)'{-h,-\?}'[display usage information]' \
':remote host name:->userhost' && ret=0
;;
esac
while [[ -n "$state" ]]; do
lstate="$state"
state=''
case "$lstate" in
option)
if compset -P 1 '*='; then
case "${IPREFIX#-o}" in
(#i)(ciphers|macs|kexalgorithms|hostkeyalgorithms|pubkeyacceptedalgorithms)=)
local sep
zstyle -s ":completion:${curcontext}:" list-separator sep || sep=--
if ! compset -P '[+-^]'; then
_wanted prefix expl 'relative to default' compadd -S '' -d \
"(
+\ $sep\ append\ to\ default\ list
-\ $sep\ remove\ from\ default\ list
^\ $sep\ insert\ at\ head\ of\ default\ list
)" - + - \^ && ret=0
fi
;;
esac
case "${IPREFIX#-o}" in
(#i)(batchmode|canonicalizefallbacklocal|checkhostip|clearallforwardings|compression|enableescapecommandline|enablesshkeysign|exitonforwardfailure|fallbacktorsh|forkafterauthentication|forward(agent|x11)|forwardx11trusted|gatewayports|gssapiauthentication|gssapidelegatecredentials|gssapikeyexchange|gssapirenewalforcesrekey|gssapitrustdns|hashknownhosts|hostbasedauthentication|identitiesonly|kbdinteractiveauthentication|tcpkeepalive|nohostauthenticationforlocalhost|passwordauthentication|permitlocalcommand|permitremoteopen|proxyusefdpass|stdinnull|streamlocalbindunlink|visualhostkey)=*)
_wanted values expl 'truth value' compadd yes no && ret=0
;;
(#i)addkeystoagent=*)
_alternative \
'timeouts: :_numbers -u seconds "time interval" :s:seconds m:minutes h:hours d:days w:weeks' \
'values:value:(yes no ask confirm)' && ret=0
;;
(#i)addressfamily=*)
_wanted values expl 'address family' compadd any inet inet6 && ret=0
;;
(#i)bindaddress=*)
_wanted bind-addresses expl 'bind address' _bind_addresses && ret=0
;;
(#i)bindinterface=*)
_wanted bind-interfaces expl 'bind interface' _network_interfaces && ret=0
;;
(#i)canonicaldomains=*)
_message -e 'canonical domains (space separated)' && ret=0
;;
(#i)canonicalizehostname=*)
_wanted values expl 'truthish value' compadd yes no always && ret=0
;;
(#i)canonicalizemaxdots=*)
_message -e 'number of dots' && ret=0
;;
(#i)canonicalizepermittedcnames=*)
_message -e 'CNAME rule list (source_domain_list:target_domain_list, each pattern list comma separated)' && ret=0
;;
(#i)ciphers=*)
state=ciphers
;;
(#i)certificatefile=*)
_description files expl 'file'
_files "$expl[@]" && ret=0
;;
(#i)connectionattempts=*)
_message -e 'connection attempts' && ret=0
;;
(#i)connecttimeout=*)
_numbers -u seconds timeout :s:seconds m:minutes h:hours d:days w:weeks && ret=0
;;
(#i)controlmaster=*)
_wanted values expl 'truthish value' compadd yes no auto ask autoask && ret=0
;;
(#i)controlpath=*)
_description files expl 'path to control socket'
_files "$expl[@]" && ret=0
;;
(#i)controlpersist=*)
_alternative \
'timeouts: :_numbers -u seconds timeout :s:seconds m:minutes h:hours d:days w:weeks' \
'values:truth value:(yes no)' && ret=0
;;
(#i)escapechar=*)
_message -e 'escape character (or `none'\'')'
ret=0
;;
(#i)fingerprinthash=*)
_values 'fingerprint hash algorithm' \
md5 ripemd160 sha1 sha256 sha384 sha512 && ret=0
;;
(#i)forwardx11timeout=*)
_message -e 'timeout'
ret=0
;;
(#i)globalknownhostsfile=*)
_description files expl 'global file with known hosts'
_files "$expl[@]" && ret=0
;;
(#i)hostname=*)
_wanted hosts expl 'real host name to log into' _ssh_hosts && ret=0
;;
(#i)identityagent=*)
_description files expl 'socket file'
_files -g "*(-=)" "$expl[@]" && ret=0
;;
(#i)identityfile=*)
_description files expl 'SSH identity file'
_files "$expl[@]" && ret=0
;;
(#i)ignoreunknown=*)
_message -e 'pattern list' && ret=0
;;
(#i)ipqos=*)
local descr
if [[ $PREFIX = *\ *\ * ]]; then return 1; fi
if compset -P '* '; then
descr='QoS for non-interactive sessions'
else
descr='QoS [for interactive sessions if second value given, separated by white space]'
fi
_values $descr 'af11' 'af12' 'af13' 'af14' 'af22' \
'af23' 'af31' 'af32' 'af33' 'af41' 'af42' 'af43' \
'cs0' 'cs1' 'cs2' 'cs3' 'cs4' 'cs5' 'cs6' 'cs7' 'ef' \
'lowdelay' 'throughput' 'reliability' && ret=0
;;
(#i)(local|remote)forward=*)
state=forward
;;
(#i)dynamicforward=*)
state=dynforward
;;
(#i)kbdinteractivedevices=*)
_values -s , 'keyboard-interactive authentication method' \
'bsdauth' 'pam' 'skey' && ret=0
;;
(#i)kexalgorithms=*)
_wanted algorithms expl 'key exchange algorithm' _sequence compadd - \
$(_call_program algorithms ssh -Q kex) && ret=0
;;
(#i)gssapikexalgorithms=*)
_wanted algorithms expl 'key exchange algorithm' _sequence compadd - \
$(_call_program algorithms ssh -Q kex-gss) && ret=0
;;
(#i)(local|knownhosts)command=*)
_command_names -e && ret=0
;;
(#i)loglevel=*)
_values 'log level' QUIET FATAL ERROR INFO VERBOSE\
DEBUG DEBUG1 DEBUG2 DEBUG3 && ret=0
;;
(#i)macs=*)
state=macs
;;
(#i)numberofpasswordprompts=*)
_message -e 'number of password prompts'
ret=0
;;
(#i)(pkcs11|securitykey)provider=*)
_description files expl 'shared library'
_files -g '*.(so|dylib)(|.<->)(-.)' "$expl[@]" && ret=0
;;
(#i)port=*)
_message -e 'port number on remote host'
ret=0
;;
(#i)preferredauthentications=*)
_values -s , 'authentication method' gssapi-with-mic \
hostbased publickey keyboard-interactive password && ret=0
;;
(#i)proxyjump=*)
compset -P "* "
state=userhost
;;
(#i)(hostkey|(hostbased|pubkey)accepted)algorithms=*)
_wanted key-types expl 'key type' _sequence compadd - \
$(_call_program key-types ssh -Q key-sig) && ret=0
;;
(#i)pubkeyauthentication=*)
_wanted values expl 'enable' compadd yes no unbound host-bound && ret=0
;;
(#i)protocol=*)
_values -s , 'protocol version' \
'1' \
'2' && ret=0
;;
(#i)(proxy|remote)command=*)
_cmdstring && ret=0
;;
(#i)rekeylimit=*)
if compset -P "* "; then
_numbers -u seconds "maximum time before renegotiating session key" \
:s:seconds h:hours d:days w:weeks
else
_numbers -u bytes "maximum amount of data transmitted before renegotiating session key" \
K:kilobytes M:megabytes G:gigabytes
fi
ret=0
;;
(#i)requesttty=*)
_values 'request a pseudo-tty' \
'no[never request a TTY]' \
'yes[always request a TTY when stdin is a TTY]' \
'force[always request a TTY]' \
'auto[request a TTY when opening a login session]' && ret=0
;;
(#i)requiredrsasize=)
_wanted sizes expl 'minimum size [1024]' compadd 1024 2048 4096 && ret=0
;;
(#i)revokedhostkeys=*)
_description files expl 'revoked host keys file'
_files "$expl[@]" && ret=0
;;
(#i)sendenv=*)
_wanted envs expl 'environment variable' _parameters -g 'scalar*export*' && ret=0
;;
(#i)serveralivecountmax=*)
_message -e 'number of alive messages without replies before disconnecting'
ret=0
;;
(#i)serveraliveinterval=*)
_message -e 'timeout in seconds since last data was received to send alive message'
ret=0
;;
(#i)streamlocalbindmask=*)
_message -e 'octal mask' && ret=0
;;
(#i)sessiontype=*)
_wanted session-types expl "session type" compadd none subsystem default && ret=0
;;
(#i)stricthostkeychecking=*)
_wanted values expl 'value' compadd yes no ask accept-new off && ret=0
;;
(#i)syslogfacility=*)
_wanted facilities expl 'facility' compadd -M 'm:{a-z}={A-Z}' DAEMON USER AUTH LOCAL{0,1,2,3,4,5,6,7} && ret=0
;;
(#i)(verifyhostkeydns|updatehostkeys)=*)
_wanted values expl 'truthish value' compadd yes no ask && ret=0
;;
(#i)transport=*)
_values 'transport protocol' TCP SCTP && ret=0
;;
(#i)tunnel=*)
_values 'request device forwarding' \
'yes' \
'point-to-point' \
'ethernet' \
'no' && ret=0
;;
(#i)tunneldevice=*)
_message -e 'local_tun[:remote_tun] (integer or "any")'
ret=0
;;
(#i)userknownhostsfile=*)
_description files expl 'user file with known hosts'
_files "$expl[@]" && ret=0
;;
(#i)user=*)
_wanted users expl 'user to log in as' _ssh_users && ret=0
;;
(#i)xauthlocation=*)
_description files expl 'xauth program'
_files "$expl[@]" -g '*(-*)' && ret=0
;;
*) _message -e values value ;;
esac
else
# Include, Host and Match not supported from the command-line
# final GSSAPI options are not in upstream but are widely patched in
_wanted values expl 'configure file option' \
compadd -M 'm:{a-z}={A-Z} r:[^A-Z]||[A-Z]=* r:|=*' -q -S '=' - \
AddKeysToAgent \
AddressFamily \
BatchMode \
BindAddress \
BindInterface \
CanonicalDomains \
CanonicalizeFallbackLocal \
CanonicalizeHostname \
CanonicalizeMaxDots \
CanonicalizePermittedCNAMEs \
CASignatureAlgorithms \
CertificateFile \
CheckHostIP \
Ciphers \
ClearAllForwardings \
Compression \
ConnectionAttempts \
ConnectTimeout \
ControlMaster \
ControlPath \
ControlPersist \
DynamicForward \
EnableEscapeCommandline \
EnableSSHKeysign \
EscapeChar \
ExitOnForwardFailure \
FingerprintHash \
ForkAfterAuthentication \
ForwardAgent \
ForwardX11 \
ForwardX11Timeout \
ForwardX11Trusted \
GatewayPorts \
GlobalKnownHostsFile \
GSSAPIAuthentication \
GSSAPIDelegateCredentials \
HashKnownHosts \
HostbasedAcceptedAlgorithms \
HostbasedAuthentication \
HostKeyAlgorithms \
HostKeyAlias \
Hostname \
IdentitiesOnly \
IdentityAgent \
IdentityFile \
IgnoreUnknown \
IPQoS \
KbdInteractiveAuthentication \
KbdInteractiveDevices \
KexAlgorithms \
KnownHostsCommand \
LocalCommand \
LocalForward \
LogLevel \
LogVerbose \
MACs \
NoHostAuthenticationForLocalhost \
NumberOfPasswordPrompts \
PasswordAuthentication \
PermitLocalCommand \
PermitRemoteOpen \
PKCS11Provider \
Port \
PreferredAuthentications \
ProxyCommand \
ProxyJump \
ProxyUseFdpass \
PubkeyAuthentication \
PubkeyAcceptedAlgorithms \
RekeyLimit \
RemoteCommand \
RemoteForward \
RequestTTY \
RequiredRSASize \
RevokedHostKeys \
SecurityKeyProvider \
SendEnv \
ServerAliveCountMax \
ServerAliveInterval \
SetEnv \
SessionType \
StdinNull \
StreamLocalBindMask \
StreamLocalBindUnlink \
StrictHostKeyChecking \
SyslogFacility \
TCPKeepAlive \
Tunnel \
TunnelDevice \
UpdateHostKeys \
User \
UserKnownHostsFile \
VerifyHostKeyDNS \
VisualHostKey \
XAuthLocation \
GSSAPIClientIdentity \
GSSAPIKeyExchange \
GSSAPIRenewalForcesRekey \
GSSAPIServerIdentity \
GSSAPITrustDns \
GSSAPIKexAlgorithms \
&& ret=0
fi
;;
forward)
local port=false host=false listen=false bind=false
if compset -P 1 '*:'; then
if [[ $IPREFIX != (*=|)<-65535>: ]]; then
if compset -P 1 '*:'; then
if compset -P '*:'; then
port=true
else
host=true
fi
else
listen=true
ret=0
fi
else
if compset -P '*:'; then
port=true
else
host=true
fi
fi
else
listen=true
bind=true
fi
$port && { _message -e port-numbers 'port number'; ret=0 }
$listen && { _message -e port-numbers 'listen-port number'; ret=0 }
$host && { _wanted hosts expl host _ssh_hosts -S: && ret=0 }
$bind && { _wanted bind-addresses expl bind-address _bind_addresses -S: && ret=0 }
return ret
;;
dynforward)
_message -e port-numbers 'listen-port number'
if ! compset -P '*:'; then
_wanted bind-addresses expl bind-address _bind_addresses -qS:
fi
return 0
;;
hostport)
if compset -P '*:'; then
_message -e port-numbers 'port number'
ret=0
else
_wanted hosts expl host _ssh_hosts -S: && ret=0
fi
return ret
;;
macs)
_wanted macs expl 'MAC algorithm' _sequence compadd - $(_call_program macs ssh -Q mac)
return
;;
ciphers)
_wanted ciphers expl 'encryption cipher' _sequence compadd - $(_call_program ciphers ssh -Q cipher)
return
;;
command)
if (( $+opt_args[-s] )); then
_wanted subsystems expl subsystem compadd sftp
return
fi
local -a _comp_priv_prefix
shift 1 words
(( CURRENT-- ))
_normal -p $service
return
;;
destinations)
compset -P 1 '*>'
compset -S '>*'
;& # fall-through
userhost)
if compset -P '*@'; then
_wanted hosts expl 'remote host name' _ssh_hosts && ret=0
elif compset -S '@*'; then
_wanted users expl 'login name' _ssh_users -S '' && ret=0
else
if (( $+opt_args[-l] )); then
tmp=()
else
tmp=( 'users:login name:_ssh_users -qS@' )
fi
_alternative \
'hosts:remote host name:_ssh_hosts' \
"$tmp[@]" && ret=0
fi
;;
file)
if compset -P 1 '[^./][^/]#:'; then
_remote_files -- ssh ${(kv)~opt_args[(I)-[FP1246]]/-P/-p} && ret=0
elif compset -P 1 '*@'; then
suf=( -S '' )
compset -S ':*' || suf=( -r: -S: )
_wanted hosts expl 'remote host name' _ssh_hosts $suf && ret=0
else
_alternative \
'files:: _files' \
'hosts:remote host name:_ssh_hosts -r: -S:' \
'users:user:_ssh_users -qS@' && ret=0
fi
;;
rfile)
if compset -P 1 '*:'; then
_remote_files -- ssh && ret=0
elif compset -P 1 '*@'; then
_wanted hosts expl host _ssh_hosts -r: -S: && ret=0
else
_alternative \
'hosts:remote host name:_ssh_hosts -r: -S:' \
'users:user:_ssh_users -qS@' && ret=0
fi
;;
esac
done
return ret
}
_ssh_users () {
_combination -s '[:@]' my-accounts users-hosts users "$@"
}
_ssh "$@"
|