#compdef ssh slogin=ssh scp ssh-add ssh-agent ssh-copy-id ssh-keygen ssh-keyscan sftp
# TODO: sshd, ssh-keysign
_ssh () {
local curcontext="$curcontext" state line expl suf arg ret=1
local args sigargs common common_transfer options algopt tmp p1 file cmn cmds sdesc tdesc
typeset -A opt_args tsizes
common=(
'(-6)-4[force ssh to use IPv4 addresses only]'
'(-4)-6[force ssh to use IPv6 addresses only]'
'-A[enable forwarding of the authentication agent connection]'
'-C[compress data]'
'-c+[select encryption cipher]:encryption cipher:->ciphers'
'-F+[specify alternate config file]:config file:_files'
'*-i+[select identity file]:SSH identity file:_files -g "*(-.^AR)"'
'*-o+[specify extra options]:option string:->option'
)
common_transfer=(
'(-O)-D+[connect directly to a local sftp server]:sftp server path:_command_names -e'
'-J+[connect via a jump host]: :->userhost'
'-l+[limit used bandwidth]:bandwidth (Kbit/s)'
'-P+[specify port on remote host]:port number on remote host'
'-p[preserve modification times, access times and modes]'
'-q[disable progress meter and warnings]'
'-r[recursively copy directories (follows symbolic links)]'
'-S+[specify ssh program]:path to ssh:_command_names -e'
'-v[verbose mode]'
'(-O)*-X+[specify sftp protocol option]: : _values "sftp option"
"nrequests[set max concurrent SFTP read or write requests]\:requests [64]"
"buffer[set max buffer size for a single SFTP read/write operation]\: \:_numbers -l 0 -m 256K -d 32K -u bytes -f size \:B\:bytes \:K\:kilobytes"'
)
algopt='-E+[specify hash algorithm for fingerprints]:algorithm:(md5 sha256)'
case "$service" in
ssh)
(( $+words[(r)-[^-]#t*] )) && tdesc=' even if there is no controlling tty'
_arguments -C -s \
'(-A)-a[disable forwarding of authentication agent connection]' \
'-B+[bind to specified interface before attempting to connect]:interface:_net_interfaces' \
'(-P)-b+[specify interface to transmit on]:bind address:_bind_addresses' \
'-D+[specify a dynamic port forwarding]:dynamic port forwarding:->dynforward' \
'-e+[set escape character]:escape character (or `none'\''):' \
'-E+[append log output to file instead of stderr]:_files' \
'(-n)-f[go to background]' \
'-g[allow remote hosts to connect to local forwarded ports]' \
'-G[output configuration and exit]' \
'-I+[specify smartcard device]:device:_files' \
'-J+[connect via a jump host]: :->userhost' \
'-K[enable GSSAPI-based authentication and forwarding]' \
'-k[disable forwarding of GSSAPI credentials]' \
'*-L+[specify local port forwarding]:local port forwarding:->forward' \
'-l+[specify login name]:login name:_ssh_users' \
'-M[master mode for connection sharing]' \
'-m+[specify mac algorithms]: :->macs' \
"-N[don't execute a remote command]" \
'-n[redirect stdin from /dev/null]' \
'-O+[control an active connection multiplexing master process]:multiplex control command:((check\:"check master process is running" exit\:"request the master to exit" forward\:"request forward without command execution" stop\:"request the master to stop accepting further multiplexing requests" cancel\:"cancel existing forwardings with -L and/or -R" proxy))' \
'-P+[specify a tag name that may be used to select configuration]:tag' \
'-p+[specify port on remote host]:port number on remote host' \
'(-v)*-q[quiet operation]' \
'*-R+[specify remote port forwarding]:remote port forwarding:->forward' \
'-S+[specify location of control socket for connection sharing]:path to control socket:_files' \
'-Q+[query parameters]:query option:((cipher\:"supported symmetric ciphers" cipher-auth\:"supported symmetric ciphers that support authenticated encryption" compression mac\:"supported message integrity codes" kex\:"key exchange algorithms" kex-gss\:"GSSAPI key exchange algorithms" key\:"key types" key-cert\:"certificate key types" key-plain\:"non-certificate key types" key-sig\:"all key types and signature algorithms" protocol-version\:"supported SSH protocol versions" sig\:"supported signature algorithms" help\:"show supported queries" HostbasedAcceptedAlgorithms HostKeyAlgorithms KexAlgorithms MACs PubkeyAcceptedAlgorithms))' \
'-s[invoke subsystem]' \
'(-t)-T[disable pseudo-tty allocation]' \
"(-T)*-t[force pseudo-tty allocation${tdesc}]" \
'-V[show version number]' \
'(-q)*-v[verbose mode (multiple increase verbosity, up to 3)]' \
'-W+[forward standard input and output to host]:stdinout forward:->hostport' \
'-w+[request tunnel device forwarding]:local_tun[\:remote_tun] (integer or "any"):' \
'(-x -Y)-X[enable (untrusted) X11 forwarding]' \
'(-X -Y)-x[disable X11 forwarding]' \
'(-x -X)-Y[enable trusted X11 forwarding]' \
'-y[send log info via syslog instead of stderr]' \
':remote host name:->userhost' \
'*::args:->command' "$common[@]" && ret=0
;;
scp)
_arguments -C -s \
'-3[copy through local host, not directly between the remote hosts]' \
"-B[batch mode (don't ask for passwords or passphrases)]" \
'(-D -X)-O[use the original SCP protocol instead of the SFTP protocol]' \
'-T[disable strict filename checking]' \
'*:file:->file' "$common[@]" "$common_transfer[@]" && ret=0
;;
ssh-add)
if [[ $OSTYPE != darwin* || $APPLE_SSH_ADD_BEHAVIOR == openssh ]]; then
args=(
'-K[load resident keys from a FIDO authenticator]'
)
else
[[ ${APPLE_SSH_ADD_BEHAVIOR:-macos} == macos ]] && args=(
'-A[add identities from keychain]'
'-K[update keychain when adding/removing identities]'
)
fi
[[ $OSTYPE == darwin<20->.* ]] && args+=(
'--apple-load-keychain[add identities from keychain]'
'--apple-use-keychain[update keychain when adding/removing identities]'
)
_arguments -C -s : $args \
'-c[identity is subject to confirmation via SSH_ASKPASS]' \
'-D[delete all identities]' \
'-d[remove identity]' \
$algopt \
'-e+[remove keys provided by the PKCS#11 shared library]:library:_files -g "*.(so|dylib)(|.<->)(-.)"' \
'*-H[specify a known hosts file to look up hostkeys]:known hosts file:_files' \
'*-h[constrain keys to specific hosts or destinations]:destination:->destinations' \
'-k[load plain private keys only and skip certificates]' \
'-K[load resident keys from a FIDO authenticator]' \
'-L[list public key parameters of all identities in the agent]'\
'-l[list all identities]' \
'-m+[specify minimum remaining signatures before maximum is changed]:number' \
'-M+[specify maximum number of signatures]:number' \
'-S+[use specified library when adding FIDO authenticator-hosted keys]:library:_files' \
'-s+[add keys provided by the PKCS#11 shared library]:library:_files -g "*.(so|dylib)(|.<->)(-.)"' \
'-t+[set maximum lifetime for identity]: :_numbers -u seconds "maximum lifetime" \:s\:seconds m\:minutes h\:hours d\:days w\:weeks' \
"-T[test usability of identity files' private keys]:*:public key file:_files -g '*.pub(-.)'" \
'*-v[verbose mode]' \
'-q[be quiet after a successful operation]' \
'-X[unlock the agent]' \
'-x[lock the agent with a password]' \
'*:SSH identity file:_files' && ret=0
;;
ssh-agent)
_arguments -s \
'(-k)-a+[specify UNIX-domain socket to bind agent to]:UNIX-domain socket:_files' \
'(-k -s)-c[force csh-style shell]' \
'(-k)-d[debug mode]' \
'(-k)-D[foreground mode]' \
"(-k)$algopt" \
'-k[kill current agent]' \
'(-k)-P[specify PKCS#11 shared library whitelist]:PKCS#11 library whitelist pattern' \
'(-k -c)-s[force sh-style shell]' \
'-t+[set default maximum lifetime for identities]: :_numbers -u seconds "maximum lifetime" \:s\:seconds m\:minutes h\:hours d\:days w\:weeks' \
'-v[verbose mode]' \
'*::command: _normal -p $service'
return
;;
ssh-keygen)
# options can be in any order but use ! to limit those shown for the first argument
(( CURRENT == 2 )) && p1='!'
args=( '!-z:number' )
options=(
application
'challenge\:path\:_files'
device
no-touch-required
resident
user
verify-required
'write-attestation\:path\:_files'
)
sdesc='certify keys with CA key'
if (( $+words[(r)-[IhUDnV]*] )); then
args=( '-z[specify serial number]:serial number' )
options=(
clear critical\:name extension\:name force-command\:command\:_cmdstring
no-agent-forwarding no-port-forwarding no-pty no-user-rc no-x11-forwarding
permit-agent-forwarding permit-port-forwarding permit-pty permit-user-rc
permit-x11-forwarding source-address\:source\ address
)
fi
(( $+words[(r)-[ku]] )) && args=( '-z[specify version number]:version number' ) &&
sdesc='specify CA public key file'
file=key
(( $+words[(r)-[FHR]] )) && file=known_hosts
if (( $+words[(r)-M*] )); then
file=input
args+=( '*:output file:_files' )
options=(
lines:number
'start-line\:line number'
checkpoint\:file:_files
'memory\:size (mbytes)'
'start\:start point (hex-value)'
generator\:value
)
fi
(( $+words[(r)-A] )) && file='prefix for host key'
if (( $+words[(r)-[kIQ]] )); then
file=krl
args+=( '*:file:_files' )
fi
if (( arg = $words[(I)-Y*] )); then
[[ $words[arg] = -Y?* ]] || (( arg++ ))
case ${words[arg]#-Y} in
^find-*) sigargs+=( "$p1-n+[specify namespace]:namespace" ) ;|
check*|find*|verify)
sigargs+=( "$p1-s+[specify signature file]:signature file:_files" )
;|
match*|verify) sigargs+=( '-I+[specify signer identity]:identity' ) ;|
sign) sigargs+=( '*:file:_files' ) ;;
verify)
args=()
sigargs+=( '-r+[specify revocation file]:revocation file:_files' )
;;
esac
fi
cmds=( -p -i -e -y -c -l -B -D -F -H -K -R -r -M -s -L -A -k -Q -Y ) # basic commands
cmn=( -a -b -P -N -C -l -m -O -v -w -Z ) # options common to many basic commands (except -f which is common to most)
cms=( -E -q -t -g -M -I -h -n -V -u -U ) # options specific to one basic command
tsizes=(
dsa 1024
ecdsa '256 384 521' # values appear in key names as listed with ssh -Q key - 521 really is correct
rsa '1024 2048 4096'
)
_arguments -s $args \
"${p1}(${${(@)cmds:#-[pcKAO]}} ${${(@)cms:#-[t]}} -O)-a+[specify number of rounds]:rounds [16]" \
"(${${(@)cmds:#-M}} -P ${${(@)cms:#-[MS]}})-b+[specify number of bits in key]:bits in key [2048]:"'compadd ${expl\:/-X/-x} ${_comp_mesg\:=-} ${=tsizes[${opt_args[create--t]\:-rsa}]}' \
"$p1(${${(@)cmds:#-[pc]}} -b $cms)-P+[provide old passphrase]:old passphrase" \
"(${${(@)cmds:#-p}} -v ${${(@)cms:#-[qt]}})-N+[provide new passphrase]:new passphrase" \
"(${${(@)cmds:#-c}} -v $cms)-C+[provide new comment]:new comment" \
"(-D -I -h -n -V -A)-f+[$file file]:$file file:_files" \
"$p1(${${(@)cmds:#-[FE]}} ${${(@)cmn:#-v}} ${${(@)cms:#-E}})-l[show fingerprint of key file]" \
"$p1(${${(@)cmds:#-[iep]}} $cms)-m+[specify conversion format]:format [RFC4716]:(PEM PKCS8 RFC4716)" \
"$p1*-O+[specify a key/value option]: : _values 'option' $options" \
"(${${(@)cmds:#-[lGT]}} ${${(@)cmn:#-[bv]}} -f)*-v[verbose mode]" \
"$p1(${${(@)cmds:#-K}} -P ${${(@)cms:#-[qt]}})-w+[specify library used when creating FISO authenticator-hosted keys]:library:_files -g '*.(so|dylib)(|.<->)(-.)'" \
"$p1(${${(@)cmds:#-p}} -l ${${(@)cms:#-[qt]}})-Z+[specify encryption cipher to use when writing a private key file]:cipher:compadd - $(_call_program ciphers ssh -Q cipher)" \
- '(commands)' \
"(-b -l -C -O -v -w)-p[change passphrase of private key file]" \
"(${${(@)cmn:#-m}})-i[import key to OpenSSH format]" \
"(${${(@)cmn:#-m}})-e[export key to SECSH file format]" \
"($cmn)-y[get public key from private key]" \
"(${${(@)cmn:#-[aCP]}})-c[change comment in private and public key files]" \
"($cmn)-B[show the bubblebabble digest of key]" \
"(-)-D+[download key stored in smartcard reader]:reader" \
"(${${(@)cmn:#-[lv]}})-F+[search for host in known_hosts file]:host:_ssh_hosts" \
"($cmn)-H[hash names in known_hosts file]" \
"(${${(@)cmn:#-[aw]}} -f)-K[download resident keys from a FIDO authenticator]" \
"($cmn)-R+[remove host from known_hosts file]:host:_ssh_hosts" \
"(${${(@)cmn:#-O}})-M+[moduli generation]:action:((
generate\:generate\ candidates\ for\ DH-GEX\ moduli
screen\:screen\ candidates\ for\ DH-GEX\ moduli
))" \
"($cmn)-L[print the contents of a certificate]" \
"(${${(@)cmn:#-a}})-A[generate host keys for all key types]" \
"($cmn)-Q[test whether keys have been revoked in a KRL]" \
- finger \
"$p1($cmn)$algopt" \
- create \
'(-P -l)-q[silence ssh-keygen]' \
"(-P -l)-t+[specify the type of the key to create]:key type:(rsa dsa ecdsa ed25519 ecdsa-sk ed25519-sk)" \
- dns \
"($cmn)-r[print DNS resource record]:hostname:_hosts" \
"$p1($cmn)-g[use generic DNS format]" \
- certify \
"($cmn)-s[$sdesc]:CA key:_files" \
"$p1($cmn -f -k -u)-I+[specify key identifier to include in certificate]:key id" \
"$p1($cmn -f -k -u)-h[generate host certificate instead of a user certificate]" \
"$p1($cmn -f -k -u -D)-U[indicate that CA key is held by ssh-agent]" \
"$p1($cmn -f -k -u -U)-D+[indicate the CA key is stored in a PKCS#11 token]:PKCS11 shared library:_files -g '*.(so|dylib)(|.<->)(-.)'" \
"$p1($cmn -f -k -u)-n+[specify user/host principal names to include in certificate]:principals" \
"$p1($cmn -f -u)-V+[specify certificate validity interval]:interval" \
"($cmn -I -h -n -D -O -U -V)-k[generate a KRL file]" \
"$p1($cmn -I -h -n -D -O -U -V)-u[update a KRL]" \
- signature \
"(${${(@)cmn:#-O}})-Y+[signature action]:action:((
find-principals\:find\ the\ principal\ associated\ with\ the\ public\ key\ of\ a\ signature
sign\:sign\ a\ file\ using\ SSH\ key
verify\:verify\ a\ signature\ generated\ using\ the\ sign\ option
check-novalidate\:check\ signature\ structure
match-principals\:find\ matching\ principal
))" \
$sigargs
return
;;
ssh-keyscan)
_arguments \
'(-6)-4[force ssh to use IPv4 addresses only]' \
'(-4)-6[force ssh to use IPv6 addresses only]' \
'-c[request certificates from target hosts instead of plain keys]' \
'-D[print keys found as SSHFP DNS records]' \
'*-f+[read hosts from file, one per line]:file:_files' \
'-H[hash all hostnames and addresses in the output]' \
'-O+[specify a key/value option]: : _values option
"hashalg[select a hash algorithm to use with -D]\:algorithm [both]\:(sha1 sha256)"' \
'-p+[specify port on remote host]:port number on remote host' \
'-T+[specify timeout]: :_numbers -u seconds -d 5 timeout \:s\:seconds m\:minutes h\:hours d\:days w\:weeks' \
'-t+[specify key types to fetch from scanned hosts]:key type:_sequence compadd - rsa dsa ecdsa ed25519' \
'-v[verbose mode]'
return
;;
sftp)
_arguments -C -s \
'-a[attempt to continue interrupted transfers]' \
'-B+[specify buffer size]:buffer size (bytes) [32768]' \
'-b+[specify batch file to read]:batch file:_files' \
'-f[request that files be flushed immediately after transfer]' \
'-N[disable implicit quiet mode set by -b]' \
'-R+[specify number of outstanding requests]:number of requests [64]' \
'-s+[specify SSH2 subsystem or path to sftp server on the remote host]:subsystem/path' \
'1:file:->rfile' '*:file:->file' "$common[@]" "$common_transfer[@]" && ret=0
;;
ssh-copy-id)
_arguments \
'-i+[select identity file]:SSH identity file:_files -g "*(-.^AR)"' \
'-f[copy keys without trying to check if they are already installed]' \
'-n[dry run - no keys are actually copied]' \
'*-o+[specify ssh options]:option string:->option' \
'-p+[specify port on remote host]:port number on remote host' \
'(- 1)'{-h,-\?}'[display usage information]' \
':remote host name:->userhost' && ret=0
;;
esac
while [[ -n "$state" ]]; do
lstate="$state"
state=''
case "$lstate" in
option)
if compset -P 1 '*='; then
case "${IPREFIX#-o}" in
(#i)(ciphers|macs|kexalgorithms|hostkeyalgorithms|pubkeyacceptedalgorithms)=)
local sep
zstyle -s ":completion:${curcontext}:" list-separator sep || sep=--
if ! compset -P '[+-^]'; then
_wanted prefix expl 'relative to default' compadd -S '' -d \
"(
+\ $sep\ append\ to\ default\ list
-\ $sep\ remove\ from\ default\ list
^\ $sep\ insert\ at\ head\ of\ default\ list
)" - + - \^ && ret=0
fi
;;
esac
case "${IPREFIX#-o}" in
(#i)(batchmode|canonicalizefallbacklocal|checkhostip|clearallforwardings|compression|enableescapecommandline|enablesshkeysign|exitonforwardfailure|fallbacktorsh|forkafterauthentication|forward(agent|x11)|forwardx11trusted|gatewayports|gssapiauthentication|gssapidelegatecredentials|gssapikeyexchange|gssapirenewalforcesrekey|gssapitrustdns|hashknownhosts|hostbasedauthentication|identitiesonly|kbdinteractiveauthentication|tcpkeepalive|nohostauthenticationforlocalhost|passwordauthentication|permitlocalcommand|permitremoteopen|proxyusefdpass|stdinnull|streamlocalbindunlink|visualhostkey)=*)
_wanted values expl 'truth value' compadd yes no && ret=0
;;
(#i)addkeystoagent=*)
_alternative \
'timeouts: :_numbers -u seconds "time interval" :s:seconds m:minutes h:hours d:days w:weeks' \
'values:value:(yes no ask confirm)' && ret=0
;;
(#i)addressfamily=*)
_wanted values expl 'address family' compadd any inet inet6 && ret=0
;;
(#i)bindaddress=*)
_wanted bind-addresses expl 'bind address' _bind_addresses && ret=0
;;
(#i)bindinterface=*)
_wanted bind-interfaces expl 'bind interface' _network_interfaces && ret=0
;;
(#i)canonicaldomains=*)
_message -e 'canonical domains (space separated)' && ret=0
;;
(#i)canonicalizehostname=*)
_wanted values expl 'truthish value' compadd yes no always && ret=0
;;
(#i)canonicalizemaxdots=*)
_message -e 'number of dots' && ret=0
;;
(#i)canonicalizepermittedcnames=*)
_message -e 'CNAME rule list (source_domain_list:target_domain_list, each pattern list comma separated)' && ret=0
;;
(#i)ciphers=*)
state=ciphers
;;
(#i)certificatefile=*)
_description files expl 'file'
_files "$expl[@]" && ret=0
;;
(#i)connectionattempts=*)
_message -e 'connection attempts' && ret=0
;;
(#i)connecttimeout=*)
_numbers -u seconds timeout :s:seconds m:minutes h:hours d:days w:weeks && ret=0
;;
(#i)controlmaster=*)
_wanted values expl 'truthish value' compadd yes no auto ask autoask && ret=0
;;
(#i)controlpath=*)
_description files expl 'path to control socket'
_files "$expl[@]" && ret=0
;;
(#i)controlpersist=*)
_alternative \
'timeouts: :_numbers -u seconds timeout :s:seconds m:minutes h:hours d:days w:weeks' \
'values:truth value:(yes no)' && ret=0
;;
(#i)escapechar=*)
_message -e 'escape character (or `none'\'')'
ret=0
;;
(#i)fingerprinthash=*)
_values 'fingerprint hash algorithm' \
md5 ripemd160 sha1 sha256 sha384 sha512 && ret=0
;;
(#i)forwardx11timeout=*)
_message -e 'timeout'
ret=0
;;
(#i)globalknownhostsfile=*)
_description files expl 'global file with known hosts'
_files "$expl[@]" && ret=0
;;
(#i)hostname=*)
_wanted hosts expl 'real host name to log into' _ssh_hosts && ret=0
;;
(#i)identityagent=*)
_description files expl 'socket file'
_files -g "*(-=)" "$expl[@]" && ret=0
;;
(#i)identityfile=*)
_description files expl 'SSH identity file'
_files "$expl[@]" && ret=0
;;
(#i)ignoreunknown=*)
_message -e 'pattern list' && ret=0
;;
(#i)ipqos=*)
local descr
if [[ $PREFIX = *\ *\ * ]]; then return 1; fi
if compset -P '* '; then
descr='QoS for non-interactive sessions'
else
descr='QoS [for interactive sessions if second value given, separated by white space]'
fi
_values $descr 'af11' 'af12' 'af13' 'af14' 'af22' \
'af23' 'af31' 'af32' 'af33' 'af41' 'af42' 'af43' \
'cs0' 'cs1' 'cs2' 'cs3' 'cs4' 'cs5' 'cs6' 'cs7' 'ef' \
'lowdelay' 'throughput' 'reliability' && ret=0
;;
(#i)(local|remote)forward=*)
state=forward
;;
(#i)dynamicforward=*)
state=dynforward
;;
(#i)kbdinteractivedevices=*)
_values -s , 'keyboard-interactive authentication method' \
'bsdauth' 'pam' 'skey' && ret=0
;;
(#i)kexalgorithms=*)
_wanted algorithms expl 'key exchange algorithm' _sequence compadd - \
$(_call_program algorithms ssh -Q kex) && ret=0
;;
(#i)gssapikexalgorithms=*)
_wanted algorithms expl 'key exchange algorithm' _sequence compadd - \
$(_call_program algorithms ssh -Q kex-gss) && ret=0
;;
(#i)(local|knownhosts)command=*)
_command_names -e && ret=0
;;
(#i)loglevel=*)
_values 'log level' QUIET FATAL ERROR INFO VERBOSE\
DEBUG DEBUG1 DEBUG2 DEBUG3 && ret=0
;;
(#i)macs=*)
state=macs
;;
(#i)numberofpasswordprompts=*)
_message -e 'number of password prompts'
ret=0
;;
(#i)(pkcs11|securitykey)provider=*)
_description files expl 'shared library'
_files -g '*.(so|dylib)(|.<->)(-.)' "$expl[@]" && ret=0
;;
(#i)port=*)
_message -e 'port number on remote host'
ret=0
;;
(#i)preferredauthentications=*)
_values -s , 'authentication method' gssapi-with-mic \
hostbased publickey keyboard-interactive password && ret=0
;;
(#i)proxyjump=*)
compset -P "* "
state=userhost
;;
(#i)(hostkey|(hostbased|pubkey)accepted)algorithms=*)
_wanted key-types expl 'key type' _sequence compadd - \
$(_call_program key-types ssh -Q key-sig) && ret=0
;;
(#i)pubkeyauthentication=*)
_wanted values expl 'enable' compadd yes no unbound host-bound && ret=0
;;
(#i)protocol=*)
_values -s , 'protocol version' \
'1' \
'2' && ret=0
;;
(#i)(proxy|remote)command=*)
_cmdstring && ret=0
;;
(#i)rekeylimit=*)
if compset -P "* "; then
_numbers -u seconds "maximum time before renegotiating session key" \
:s:seconds h:hours d:days w:weeks
else
_numbers -u bytes "maximum amount of data transmitted before renegotiating session key" \
K:kilobytes M:megabytes G:gigabytes
fi
ret=0
;;
(#i)requesttty=*)
_values 'request a pseudo-tty' \
'no[never request a TTY]' \
'yes[always request a TTY when stdin is a TTY]' \
'force[always request a TTY]' \
'auto[request a TTY when opening a login session]' && ret=0
;;
(#i)requiredrsasize=)
_wanted sizes expl 'minimum size [1024]' compadd 1024 2048 4096 && ret=0
;;
(#i)revokedhostkeys=*)
_description files expl 'revoked host keys file'
_files "$expl[@]" && ret=0
;;
(#i)sendenv=*)
_wanted envs expl 'environment variable' _parameters -g 'scalar*export*' && ret=0
;;
(#i)serveralivecountmax=*)
_message -e 'number of alive messages without replies before disconnecting'
ret=0
;;
(#i)serveraliveinterval=*)
_message -e 'timeout in seconds since last data was received to send alive message'
ret=0
;;
(#i)streamlocalbindmask=*)
_message -e 'octal mask' && ret=0
;;
(#i)sessiontype=*)
_wanted session-types expl "session type" compadd none subsystem default && ret=0
;;
(#i)stricthostkeychecking=*)
_wanted values expl 'value' compadd yes no ask accept-new off && ret=0
;;
(#i)syslogfacility=*)
_wanted facilities expl 'facility' compadd -M 'm:{a-z}={A-Z}' DAEMON USER AUTH LOCAL{0,1,2,3,4,5,6,7} && ret=0
;;
(#i)(verifyhostkeydns|updatehostkeys)=*)
_wanted values expl 'truthish value' compadd yes no ask && ret=0
;;
(#i)transport=*)
_values 'transport protocol' TCP SCTP && ret=0
;;
(#i)tunnel=*)
_values 'request device forwarding' \
'yes' \
'point-to-point' \
'ethernet' \
'no' && ret=0
;;
(#i)tunneldevice=*)
_message -e 'local_tun[:remote_tun] (integer or "any")'
ret=0
;;
(#i)userknownhostsfile=*)
_description files expl 'user file with known hosts'
_files "$expl[@]" && ret=0
;;
(#i)user=*)
_wanted users expl 'user to log in as' _ssh_users && ret=0
;;
(#i)xauthlocation=*)
_description files expl 'xauth program'
_files "$expl[@]" -g '*(-*)' && ret=0
;;
*) _message -e values value ;;
esac
else
# Include, Host and Match not supported from the command-line
# final GSSAPI options are not in upstream but are widely patched in
_wanted values expl 'configure file option' \
compadd -M 'm:{a-z}={A-Z} r:[^A-Z]||[A-Z]=* r:|=*' -q -S '=' - \
AddKeysToAgent \
AddressFamily \
BatchMode \
BindAddress \
BindInterface \
CanonicalDomains \
CanonicalizeFallbackLocal \
CanonicalizeHostname \
CanonicalizeMaxDots \
CanonicalizePermittedCNAMEs \
CASignatureAlgorithms \
CertificateFile \
CheckHostIP \
Ciphers \
ClearAllForwardings \
Compression \
ConnectionAttempts \
ConnectTimeout \
ControlMaster \
ControlPath \
ControlPersist \
DynamicForward \
EnableEscapeCommandline \
EnableSSHKeysign \
EscapeChar \
ExitOnForwardFailure \
FingerprintHash \
ForkAfterAuthentication \
ForwardAgent \
ForwardX11 \
ForwardX11Timeout \
ForwardX11Trusted \
GatewayPorts \
GlobalKnownHostsFile \
GSSAPIAuthentication \
GSSAPIDelegateCredentials \
HashKnownHosts \
HostbasedAcceptedAlgorithms \
HostbasedAuthentication \
HostKeyAlgorithms \
HostKeyAlias \
Hostname \
IdentitiesOnly \
IdentityAgent \
IdentityFile \
IgnoreUnknown \
IPQoS \
KbdInteractiveAuthentication \
KbdInteractiveDevices \
KexAlgorithms \
KnownHostsCommand \
LocalCommand \
LocalForward \
LogLevel \
LogVerbose \
MACs \
NoHostAuthenticationForLocalhost \
NumberOfPasswordPrompts \
PasswordAuthentication \
PermitLocalCommand \
PermitRemoteOpen \
PKCS11Provider \
Port \
PreferredAuthentications \
ProxyCommand \
ProxyJump \
ProxyUseFdpass \
PubkeyAuthentication \
PubkeyAcceptedAlgorithms \
RekeyLimit \
RemoteCommand \
RemoteForward \
RequestTTY \
RequiredRSASize \
RevokedHostKeys \
SecurityKeyProvider \
SendEnv \
ServerAliveCountMax \
ServerAliveInterval \
SetEnv \
SessionType \
StdinNull \
StreamLocalBindMask \
StreamLocalBindUnlink \
StrictHostKeyChecking \
SyslogFacility \
TCPKeepAlive \
Tunnel \
TunnelDevice \
UpdateHostKeys \
User \
UserKnownHostsFile \
VerifyHostKeyDNS \
VisualHostKey \
XAuthLocation \
GSSAPIClientIdentity \
GSSAPIKeyExchange \
GSSAPIRenewalForcesRekey \
GSSAPIServerIdentity \
GSSAPITrustDns \
GSSAPIKexAlgorithms \
&& ret=0
fi
;;
forward)
local port=false host=false listen=false bind=false
if compset -P 1 '*:'; then
if [[ $IPREFIX != (*=|)<-65535>: ]]; then
if compset -P 1 '*:'; then
if compset -P '*:'; then
port=true
else
host=true
fi
else
listen=true
ret=0
fi
else
if compset -P '*:'; then
port=true
else
host=true
fi
fi
else
listen=true
bind=true
fi
$port && { _message -e port-numbers 'port number'; ret=0 }
$listen && { _message -e port-numbers 'listen-port number'; ret=0 }
$host && { _wanted hosts expl host _ssh_hosts -S: && ret=0 }
$bind && { _wanted bind-addresses expl bind-address _bind_addresses -S: && ret=0 }
return ret
;;
dynforward)
_message -e port-numbers 'listen-port number'
if ! compset -P '*:'; then
_wanted bind-addresses expl bind-address _bind_addresses -qS:
fi
return 0
;;
hostport)
if compset -P '*:'; then
_message -e port-numbers 'port number'
ret=0
else
_wanted hosts expl host _ssh_hosts -S: && ret=0
fi
return ret
;;
macs)
_wanted macs expl 'MAC algorithm' _sequence compadd - $(_call_program macs ssh -Q mac)
return
;;
ciphers)
_wanted ciphers expl 'encryption cipher' _sequence compadd - $(_call_program ciphers ssh -Q cipher)
return
;;
command)
if (( $+opt_args[-s] )); then
_wanted subsystems expl subsystem compadd sftp
return
fi
local -a _comp_priv_prefix
shift 1 words
(( CURRENT-- ))
_normal -p $service
return
;;
destinations)
compset -P 1 '*>'
compset -S '>*'
;& # fall-through
userhost)
if compset -P '*@'; then
_wanted hosts expl 'remote host name' _ssh_hosts && ret=0
elif compset -S '@*'; then
_wanted users expl 'login name' _ssh_users -S '' && ret=0
else
if (( $+opt_args[-l] )); then
tmp=()
else
tmp=( 'users:login name:_ssh_users -qS@' )
fi
_alternative \
'hosts:remote host name:_ssh_hosts' \
"$tmp[@]" && ret=0
fi
;;
file)
if compset -P 1 '[^./][^/]#:'; then
_remote_files -- ssh ${(kv)~opt_args[(I)-[FP1246]]/-P/-p} && ret=0
elif compset -P 1 '*@'; then
suf=( -S '' )
compset -S ':*' || suf=( -r: -S: )
_wanted hosts expl 'remote host name' _ssh_hosts $suf && ret=0
else
_alternative \
'files:: _files' \
'hosts:remote host name:_ssh_hosts -r: -S:' \
'users:user:_ssh_users -qS@' && ret=0
fi
;;
rfile)
if compset -P 1 '*:'; then
_remote_files -- ssh && ret=0
elif compset -P 1 '*@'; then
_wanted hosts expl host _ssh_hosts -r: -S: && ret=0
else
_alternative \
'hosts:remote host name:_ssh_hosts -r: -S:' \
'users:user:_ssh_users -qS@' && ret=0
fi
;;
esac
done
return ret
}
_ssh_users () {
_combination -s '[:@]' my-accounts users-hosts users "$@"
}
_ssh "$@"