summaryrefslogtreecommitdiff
path: root/functions/_ssh
blob: a7babe9983176572c772c6554fb80d6c8e647f7a (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
#compdef ssh slogin=ssh scp ssh-add ssh-agent ssh-keygen sftp ssh-copy-id

# TODO: sshd, ssh-keyscan, ssh-keysign

_ssh () {
  local curcontext="$curcontext" state line expl suf ret=1
  local args common tmp p1 file cmn cmds sdesc
  typeset -A opt_args

  common=(
    '(-2)-1[forces ssh to try protocol version 1 only]'
    '(-1)-2[forces ssh to try protocol version 2 only]'
    '(-6)-4[forces ssh to use IPv4 addresses only]'
    '(-4)-6[forces ssh to use IPv6 addresses only]'
    '-C[compress data]'
    # for protocol version 2, this can be a comma-separated list
    '-c+[select encryption cipher]:encryption cipher:(idea des 3des blowfish arcfour tss none)'
    '-F+[specify alternate config file]:config file:_files'
    '*-i+[select identity file]:SSH identity file:_files -g "*(-.^AR)"'
    '*-o+[specify extra options]:option string:->option'
  )
  common_transfer=(
    '-l[limit used bandwidth]:bandwidth in KiB/s:'
    '-P+[specify port on remote host]:port number on remote host'
    '-p[preserve modification times, access times and modes]'
    '-q[disable progress meter and warnings]'
    '-r[recursively copy directories (follows symbolic links)]'
    '-S+[specify ssh program]:path to ssh:_command_names -e' \
    '-v[verbose mode]'
  )

  case "$service" in
  ssh)
    _arguments -C -s \
      '(-a)-A[enables forwarding of the authentication agent connection]' \
      '(-A)-a[disable forwarding of authentication agent connection]' \
      '(-P)-b+[specify interface to transmit on]:bind address:_bind_addresses' \
      '-D+[specify a dynamic port forwarding]:dynamic port forwarding:->dynforward' \
      '-e+[set escape character]:escape character (or `none'\''):' \
      '-E[append log output to file instead of stderr]:_files' \
      '(-n)-f[go to background]' \
      '-g[allow remote hosts to connect to local forwarded ports]' \
      '-G[output configuration and exit]' \
      '-I+[specify smartcard device]:device:_files' \
      '-J+[connect via a jump host]: :->userhost' \
      '-K[enable GSSAPI-based authentication and forwarding]' \
      '-k[disable forwarding of GSSAPI credentials]' \
      '*-L[specify local port forwarding]:local port forwarding:->forward' \
      '-l+[specify login name]:login name:_ssh_users' \
      '-M[master mode for connection sharing]' \
      '(-1)-m+[specify mac algorithms]:mac spec:->macs' \
      '(-1)-N[do not execute a remote command (protocol version 2 only)]' \
      '-n[redirect stdin from /dev/null]' \
      '-O:multiplex control command:((check\:"check master process is running" exit\:"request the master to exit" forward\:"request forward without command execution" stop\:"request the master to stop accepting further multiplexing requests" cancel\:"cancel existing forwardings with -L and/or -R"))' \
      '-P[use non privileged port]' \
      '-p+[specify port on remote host]:port number on remote host' \
      '(-v)*-q[quiet operation]' \
      '*-R[specify remote port forwarding]:remote port forwarding:->forward' \
      '-S+[specify location of control socket for connection sharing]:path to control socket:_files' \
      '-Q[query parameters]:parameter type:((cipher\:"supported symmetric ciphers" cipher-auth\:"supported symmetric ciphers that support authenticated encryption" mac\:"supported message integrity codes" kex\:"key exchange algorithms" key\:"key types" protocol-version\:"supported SSH protocol versions"))' \
      '(-1)-s[invoke subsystem]' \
      '(-1 -t)-T[disable pseudo-tty allocation (protocol version 2 only)]' \
      '(-T)-t[force pseudo-tty allocation]' \
      '-V[show version number]' \
      '(-q)*-v[verbose mode (multiple increase verbosity, up to 3)]' \
      '-W[forward standard input and output to host]:stdinout forward:->hostport' \
      '-w[request tunnel device forwarding]:local_tun[\:remote_tun] (integer or "any"):' \
      '(-x -Y)-X[enable (untrusted) X11 forwarding]' \
      '(-X -Y)-x[disable X11 forwarding]' \
      '(-x -X)-Y[enable trusted X11 forwarding]' \
      '-y[send log info via syslog instead of stderr]' \
      ':remote host name:->userhost' \
      '*::args:->command' "$common[@]" && ret=0
    ;;
  scp)
    _arguments -C -s \
      '-3[copy through local host, not directly between the remote hosts]' \
      '-B[batch mode (don'\''t ask for passphrases)]' \
      '*:file:->file' "$common[@]" "$common_transfer[@]" && ret=0
    ;;
  ssh-add)
    _arguments -s \
      '-c[identity is subject to confirmation via SSH_ASKPASS]' \
      '-D[delete all identities]' \
      '-d[remove identity]' \
      '-E[specify hash algorithm for fingerprints]:algorithm:(md5 sha256)' \
      '-e[remove keys provided by the PKCS#11 shared library]:library:_files -g "*.(so|dylib)(|.<->)(-.)"' \
      '-k[load plain private keys only and skip certificates]' \
      '-L[lists public key parameters of all identities in the agent]'\
      '-l[list all identities]' \
      '-s[add keys provided by the PKCS#11 shared library]:library:_files -g "*.(so|dylib)(|.<->)(-.)"' \
      '-t[set maximum lifetime for identity]:maximum lifetime (in seconds or time format):' \
      '-X[unlock the agent]' \
      '-x[lock the agent with a password]' \
      '*:SSH identity file:_files'
    return
    ;;
  ssh-agent)
    _arguments -s \
      '(-k)-a[UNIX-domain socket to bind agent to]:UNIX-domain socket:_files' \
      '(-k -s)-c[force csh-style shell]' \
      '(-k)-d[debug mode]' \
      '-k[kill current agent]' \
      '(-k -c)-s[force sh-style shell]' \
      '-t[set default maximum lifetime for identities]:maximum lifetime (in seconds or time format):' \
      '*::command: _normal'
    return
    ;;
  ssh-keygen)
    # options can be in any order but use ! to limit those shown for the first argument
    (( CURRENT == 2 )) && p1='!'
    args=( '!-z:number' )
    sdesc='certify keys with CA key'
    (( $+words[(r)-s] )) && args=( '-z[specify serial number]:serial number' )
    (( $+words[(r)-[ku]] )) && args=( '-z[specify version number]:version number' ) &&
        sdesc='specify CA public key file'
    file=key
    (( $+words[(r)-[HR]] )) && file=known_hosts
    (( $+words[(r)-T] )) && file=input
    if (( $+words[(r)-[kQ]] )); then
      file=krl
      args+=( '*:file:_files' )
    fi
    cmds=( -p -i -e -y -c -l -B -D -H -R -r -G -T -s -L -A -k -Q ) # basic commands
    cmn=( -b -P -N -C -m -v ) # options common to many basic commands (except -f which is common to most)
    cms=( -E -q -t -g -M -S -a -J -j -K -W -I -h -n -O -V -u ) # options specific to one basic command
    _arguments -s $args \
      "(${${(@)cmds:#-G}} -P -m ${${(@)cms:#-[MS]}})-b[specify number of bits in key]:bits in key" \
      "$p1(${${(@)cmds:#-[pc]}} -b -C $cms)-P[provide old passphrase]:old passphrase" \
      "(${${(@)cmds:#-p}} -m -v ${${(@)cms:#-[qt]}})-N[provide new passphrase]:new passphrase" \
      "(${${(@)cmds:#-c}} -m -v $cms)-C[provide new comment]:new comment" \
      "(-D -G -M -S -I -h -n -O -V -A)-f[$file file]:$file file:_files" \
      "$p1(${${(@)cmds:#-[ie]}})-m[specify conversion format]:format:(PEM PKCS7 RFC4716)" \
      "(${${(@)cmds:#-[lGT]}} ${${(@)cmn:#-[bv]}} -f)*-v[verbose mode]" \
      - '(commands)' \
      "(-b -P -C -v)-p[change passphrase of private key file]" \
      '(-b -P -N -C -v)-i[import key to OpenSSH format]' \
      '(-b -P -N -C -v)-e[export key to SECSH file format]' \
      "($cmn)-y[get public key from private key]" \
      '(-b -N -m -v)-c[change comment in private and public key files]' \
      "($cmn)-B[show the bubblebabble digest of key]" \
      "(-)-D[download key stored in smartcard reader]:reader" \
      "($cmn)-H[hash names in known_hosts file]" \
      "($cmn)-R[remove host from known_hosts file]:host:_ssh_hosts" \
      "($cmn)-L[print the contents of a certificate]" \
      "(-)-A[generate host keys for all key types]" \
      "($cmn)-Q[test whether keys have been revoked in a KRL]" \
      - finger \
      "($cmn)-l[show fingerprint of key file]" \
      "$p1($cmn)-E[specify hash algorithm for displayed fingerprints]:hash algorithim:(md5 sha256)" \
      - create \
      '(-P -m)-q[silence ssh-keygen]' \
      "(-P -m)-t[specify the type of the key to create]:key type:(rsa1 rsa dsa ecdsa ed25519)" \
      - dns \
      "($cmn)-r[print DNS resource record]:hostname:_hosts" \
      "$p1($cmn)-g[use generic DNS format]" \
      - primes \
      "(-P -N -C -m -f)-G[generate candidates for DH-GEX moduli]" \
      "$p1(-P -N -C -m -f)-M[specify amount of memory to use for generating DH-GEX moduli]:memory (MB)" \
      "$p1(-P -N -C -m -f)-S[specify start point]:start point (hex)" \
      - screen \
      "(${${(@)cmn:#-v}})-T[screen candidates for DH-GEX moduli]:output file:_files" \
      "${p1}(${${(@)cmn:#-v}})-a[specify number of rounds]:rounds" \
      "${p1}(${${(@)cmn:#-v}})-J[exit after screening specified number of lines]" \
      "${p1}(${${(@)cmn:#-v}})-j[start screening at the specified line number]:line number" \
      "${p1}(${${(@)cmn:#-v}})-K[write the last line processed to file]:file:_files" \
      "${p1}(${${(@)cmn:#-v}})-W[specify desired generator]:generator" \
      - certify \
      "($cmn)-s[$sdesc]:CA key:_files" \
      "$p1($cmn -f -u)-I[specify key identifier to include in certificate]:key id" \
      "$p1($cmn -f -u)-h[generate host certificate instead of a user certificate]" \
      "$p1($cmn -f -u)-n[specify user/host principal names to include in certificate]:principals" \
      "$p1($cmn -f -u)-O[specify a certificate option]:option" \
      "$p1($cmn -f -u)-V[specify certificate validity interval]:interval" \
      "($cmn -I -h -n -O -V)-k[generate a KRL file]" \
      "$p1($cmn -I -h -n -O -V)-u[update a KRL]"
    return
    ;;
  sftp)
    _arguments -C -s \
      '-a[attempt to continue interrupted transfers]' \
      '-B+[specify buffer size]:buffer size (bytes) [32768]' \
      '-b+[specify batch file to read]:batch file:_files' \
      '-D[connect directly to a local sftp server]:sftp server path' \
      '-f[request that files be flushed immediately after transfer]' \
      '-R[specify number of outstanding requests]:number of requests [64]' \
      '-s[SSH2 subsystem or path to sftp server on the remote host]' \
      '1:file:->rfile' '*:file:->file' "$common[@]" "$common_transfer[@]" && ret=0
    ;;
  (ssh-copy-id)
    _arguments \
      '-i:SSH identity file:_files' \
      ':remote host name:->userhost' \
    ;;
  esac

  while [[ -n "$state" ]]; do
    lstate="$state"
    state=''

    case "$lstate" in
    option)
      if compset -P 1 '*='; then
        case "${IPREFIX#-o}" in
          (#i)(ciphers|macs|kexalgorithms|hostkeyalgorithms|pubkeyacceptedkeytypes|hostbasedkeytypes)=)
          if ! compset -P +; then
            _wanted append expl 'append to default' compadd + && ret=0
          fi
          ;;
        esac
        case "${IPREFIX#-o}" in
        (#i)(afstokenpassing|batchmode|canonicalizefallbacklocal|challengeresponseauthentication|checkhostip|clearallforwardings|compression|enablesshkeysign|exitonforwardfailure|fallbacktorsh|forward(agent|x11)|forwardx11trusted|gatewayports|gssapiauthentication|gssapidelegatecredentials|gssapitrustdns|hashknownhosts|hostbasedauthentication|identitiesonly|kbdinteractiveauthentication|(tcp|)keepalive|nohostauthenticationforlocalhost|passwordauthentication|permitlocalcommand|proxyusefdpass|pubkeyauthentication|rhosts(|rsa)authentication|rsaauthentication|streamlocalbindunlink|usersh|kerberos(authentication|tgtpassing)|useprivilegedport|visualhostkey)=*)
          _wanted values expl 'truth value' compadd yes no && ret=0
          ;;
        (#i)addressfamily=*)
          _wanted values expl 'address family' compadd any inet inet6 && ret=0
          ;;
        (#i)bindaddress=*)
          _wanted bind-addresses expl 'bind address' _bind_addresses && ret=0
          ;;
        (#i)canonicaldomains=*)
          _message -e 'canonical domains (space separated)' && ret=0
          ;;
        (#i)canonicalizehostname=*)
          _wanted values expl 'truthish value' compadd yes no always && ret=0
          ;;
        (#i)canonicalizemaxdots=*)
          _message -e 'number of dots' && ret=0
          ;;
        (#i)canonicalizepermittedcnames=*)
          _message -e 'CNAME rule list (source_domain_list:target_domain_list, each pattern list comma separated)' && ret=0
          ;;
        (#i)ciphers=*)
          _values -s , 'encryption cipher' \
              '3des-cbc' \
              'aes128-cbc' \
              'aes192-cbc' \
              'aes256-cbc' \
              'aes128-ctr' \
              'aes192-ctr' \
              'aes256-ctr' \
              'arcfour128' \
              'arcfour256' \
              'arcfour' \
              'blowfish-cbc' \
              'cast128-cbc' \
              \
              'rijndael128-cbc' \
              'rijndael192-cbc' \
              'rijndael256-cbc' \
              'rijndael-cbc@lysator.liu.se' \
              && ret=0
          ;;
        (#i)cipher=*)
          _wanted values expl 'encryption cipher (protocol version 1)' \
              compadd blowfish 3des des idea arcfour tss none && ret=0
          ;;
        (#i)compressionlevel=*)
          _values 'compression level' {1..9} && ret=0
          ;;
        (#i)connectionattempts=*)
          _message -e 'connection attempts' && ret=0
          ;;
        (#i)connecttimeout=*)
          _message -e 'connection timeout' && ret=0
          ;;
        (#i)controlmaster=*)
          _wanted values expl 'truthish value' compadd yes no auto autoask && ret=0
          ;;
        (#i)controlpath=*)
          _description files expl 'path to control socket'
          _files "$expl[@]" && ret=0
          ;;
        (#i)controlpersist=*)
          _message -e 'timeout'
          ret=0
          _wanted values expl 'truth value' compadd yes no && ret=0
          ;;
        (#i)escapechar=*)
          _message -e 'escape character (or `none'\'')'
          ret=0
          ;;
        (#i)fingerprinthash=*)
          _values 'fingerprint hash algorithm' \
              md5 ripemd160 sha1 sha256 sha384 sha512 && ret=0
          ;;
        (#i)forwardx11timeout=*)
          _message -e 'timeout'
          ret=0
          ;;
        (#i)globalknownhostsfile=*)
          _description files expl 'global file with known hosts'
          _files "$expl[@]" && ret=0
          ;;
        (#i)hostname=*)
          _wanted hosts expl 'real host name to log into' _ssh_hosts && ret=0
          ;;
        (#i)(hostbasedkeytypes|hostkeyalgorithms|pubkeyacceptedkeytypes)=*)
          _values -s , 'key types' \
              'ecdsa-sha2-nistp256-cert-v01@openssh.com' \
              'ecdsa-sha2-nistp384-cert-v01@openssh.com' \
              'ecdsa-sha2-nistp521-cert-v01@openssh.com' \
              'ssh-ed25519-cert-v01@openssh.com' \
              'ssh-rsa-cert-v01@openssh.com' \
              'ssh-dss-cert-v01@openssh.com' \
              'ssh-rsa-cert-v00@openssh.com' \
              'ssh-dss-cert-v00@openssh.com' \
              'ecdsa-sha2-nistp256' \
              'ecdsa-sha2-nistp384' \
              'ecdsa-sha2-nistp521' \
              'ssh-ed25519' \
              'ssh-rsa' \
              'ssh-dss' && ret=0
          ;;
        (#i)identityfile=*)
          _description files expl 'SSH identity file'
          _files "$expl[@]" && ret=0
          ;;
        (#i)ignoreunknown=*)
          _message -e 'pattern list' && ret=0
          ;;
        (#i)ipqos=*)
          local descr
          if [[ $PREFIX = *\ *\ * ]]; then return 1; fi
          if compset -P '* '; then
            descr='QoS for non-interactive sessions'
          else
            descr='QoS [for interactive sessions if second value given, separated by white space]'
          fi
          _values $descr 'af11' 'af12' 'af13' 'af14' 'af22' \
              'af23' 'af31' 'af32' 'af33' 'af41' 'af42' 'af43' \
              'cs0' 'cs1' 'cs2' 'cs3' 'cs4' 'cs5' 'cs6' 'cs7' 'ef' \
              'lowdelay' 'throughput' 'reliability' && ret=0
          ;;
        (#i)(local|remote)forward=*)
          state=forward
          ;;
        (#i)dynamicforward=*)
          state=dynforward
          ;;
        (#i)kbdinteractivedevices=*)
          _values -s , 'keyboard-interactive authentication methods' \
              'bsdauth' 'pam' 'skey' && ret=0
          ;;
        (#i)kexalgorithms=*)
          _values -s , 'KEX algorithms' \
              ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 \
              diffie-hellman-group-exchange-sha256 \
              diffie-hellman-group-exchange-sha1 \
              diffie-hellman-group14-sha1 diffie-hellman-group1-sha1 && ret=0
          ;;
        (#i)localcommand=*)
          _description commands expl 'run command locally after connecting'
          _command_names && ret=0
          ;;
        (#i)loglevel=*)
          _values 'log level' QUIET FATAL ERROR INFO VERBOSE\
              DEBUG DEBUG1 DEBUG2 DEBUG3 && ret=0
          ;;
        (#i)macs=*)
          state=macs
          ;;
        (#i)numberofpasswordprompts=*)
          _message -e 'number of password prompts'
          ret=0
          ;;
        (#i)pkcs11provider=*)
          _description files expl 'PKCS#11 shared library'
          _files -g '*.(so|dylib)(|.<->)(-.)' "$expl[@]" && ret=0
          ;;
        (#i)port=*)
          _message -e 'port number on remote host'
          ret=0
          ;;
        (#i)preferredauthentications=*)
          _values -s , 'authentication method' gssapi-with-mic \
              hostbased publickey keyboard-interactive password && ret=0
          ;;
        (#i)protocol=*)
          _values -s , 'protocol version' \
              '1' \
              '2' && ret=0
          ;;
        (#i)proxycommand=*)
          _cmdstring && ret=0
          ;;
        (#i)rekeylimit=*)
          _message -e 'maximum number of bytes transmitted before renegotiating session key'
          ret=0
          ;;
        (#i)requesttty=*)
          _values 'request a pseudo-tty' \
              'no[never request a TTY]' \
              'yes[always request a TTY when stdin is a TTY]' \
              'force[always request a TTY]' \
              'auto[request a TTY when opening a login session]' && ret=0
          ;;
        (#i)revokedhostkeys=*)
          _description files expl 'revoked host keys file'
          _files "$expl[@]" && ret=0
          ;;
        (#i)sendenv=*)
          _wanted envs expl 'environment variable' _parameters -g 'scalar*export*' && ret=0
          ;;
        (#i)serveralivecountmax=*)
          _message -e 'number of alive messages without replies before disconnecting'
          ret=0
          ;;
        (#i)serveraliveinterval=*)
          _message -e 'timeout in seconds since last data was received to send alive message'
          ret=0
          ;;
        (#i)streamlocalbindmask=*)
          _message -e 'octal mask' && ret=0
          ;;
        (#i)(stricthostkeychecking|verifyhostkeydns|updatehostkeys)=*)
          _wanted values expl 'truthish value' compadd yes no ask && ret=0
          ;;
        (#i)transport=*)
          _values 'transport protocol' TCP SCTP && ret=0
          ;;
        (#i)tunnel=*)
          _values 'request device forwarding' \
              'yes' \
              'point-to-point' \
              'ethernet' \
              'no' && ret=0
          ;;
        (#i)tunneldevice=*)
          _message -e 'local_tun[:remote_tun] (integer or "any")'
          ret=0
          ;;
        (#i)userknownhostsfile=*)
          _description files expl 'user file with known hosts'
          _files "$expl[@]" && ret=0
          ;;
        (#i)user=*)
          _wanted users expl 'user to log in as' _ssh_users && ret=0
          ;;
        (#i)xauthlocation=*)
          _description files expl 'xauth program'
          _files "$expl[@]" -g '*(-*)' && ret=0
          ;;
        esac
      else
        # old options are after the empty "\"-line
        _wanted values expl 'configure file option' \
            compadd -M 'm:{a-z}={A-Z}' -q -S '=' - \
	        AddKeysToAgent \
                AddressFamily \
                BatchMode \
                BindAddress \
                CanonicalDomains \
                CanonicalizeFallbackLocal \
                CanonicalizeHostname \
                CanonicalizeMaxDots \
                CanonicalizePermittedCNAMEs \
		CertificateFile \
                ChallengeResponseAuthentication \
                CheckHostIP \
                Cipher \
                Ciphers \
                ClearAllForwardings \
                Compression \
                CompressionLevel \
                ConnectionAttempts \
                ConnectTimeout \
                ControlMaster \
                ControlPath \
                ControlPersist \
                DynamicForward \
                EnableSSHKeysign \
                EscapeChar \
                ExitOnForwardFailure \
                FingerprintHash \
                ForwardAgent \
                ForwardX11 \
                ForwardX11Timeout \
                ForwardX11Trusted \
                GatewayPorts \
                GlobalKnownHostsFile \
                GSSAPIAuthentication \
                GSSAPIDelegateCredentials \
                GSSAPITrustDns \
                HashKnownHosts \
                Host \
                HostbasedAuthentication \
                HostbasedKeyTypes \
                HostKeyAlgorithms \
                HostKeyAlias \
                HostName \
                IdentitiesOnly \
		IdentityAgent \
                IdentityFile \
                IgnoreUnknown \
                IPQoS \
                KbdInteractiveAuthentication \
                KbdInteractiveDevices \
                KexAlgorithms \
                LocalCommand \
                LocalForward \
                LogLevel \
                MACs \
                NoHostAuthenticationForLocalhost \
                NumberOfPasswordPrompts \
                PasswordAuthentication \
                PermitLocalCommand \
                PKCS11Provider \
                Port \
                PreferredAuthentications \
                Protocol \
                ProxyCommand \
		ProxyJump \
                ProxyUseFdpass \
                PubkeyAcceptedKeyTypes \
                PubkeyAuthentication \
                RekeyLimit \
                RemoteForward \
                RequestTTY \
                RevokedHostKeys \
                RhostsRSAAuthentication \
                RSAAuthentication \
                SendEnv \
                ServerAliveCountMax \
                ServerAliveInterval \
                StreamLocalBindMask \
                StreamLocalBindUnlink \
                StrictHostKeyChecking \
                TCPKeepAlive \
                Transport \
                Tunnel \
                TunnelDevice \
                UpdateHostKeys \
                UsePrivilegedPort \
                User \
                UserKnownHostsFile \
                VerifyHostKeyDNS \
                VisualHostKey \
                XAuthLocation \
                \
                AFSTokenPassing \
                FallBackToRsh \
                KeepAlive \
                KerberosAuthentication \
                KerberosTgtPassing \
                PreferredAuthentications \
                ProtocolKeepAlives \
                RhostsAuthentication \
                SetupTimeOut \
                SmartcardDevice \
                UseRsh \
                && ret=0
      fi
      ;;
    forward)
      local port=false host=false listen=false bind=false
      if compset -P 1 '*:'; then
        if [[ $IPREFIX != (*=|)<-65535>: ]]; then
          if compset -P 1 '*:'; then
            if compset -P '*:'; then
              port=true
            else
              host=true
            fi
          else
            listen=true
            ret=0
          fi
        else
          if compset -P '*:'; then
            port=true
          else
            host=true
          fi
        fi
      else
        listen=true
        bind=true
      fi
      $port && { _message -e port-numbers 'port number'; ret=0 }
      $listen && { _message -e port-numbers 'listen-port number'; ret=0 }
      $host && { _wanted hosts expl host _ssh_hosts -S: && ret=0 }
      $bind && { _wanted bind-addresses expl bind-address _bind_addresses -S: && ret=0 }
      return ret
      ;;
    dynforward)
      _message -e port-numbers 'listen-port number'
      if ! compset -P '*:'; then
        _wanted bind-addresses expl bind-address _bind_addresses -qS:
      fi
      return 0
      ;;
    hostport)
      if compset -P '*:'; then
        _message -e port-numbers 'port number'
        ret=0
      else
        _wanted hosts expl host _ssh_hosts -S: && ret=0
      fi
      return ret
      ;;
    macs)
      _values -s , 'MAC algorithms' hmac-md5 hmac-sha1 umac-64@openssh.com \
          hmac-ripemd160 hmac-sha1-96 hmac-md5-96 hmac-sha2-256 \
          hmac-sha2-256-96 hmac-sha2-512 hmac-sha2-512-96 && ret=0
      ;;
    command)
      local -a _comp_priv_prefix
      shift 1 words
      (( CURRENT-- ))
      _normal
      return
      ;;
    userhost)
      if compset -P '*@'; then
        _wanted hosts expl 'remote host name' _ssh_hosts && ret=0
      elif compset -S '@*'; then
        _wanted users expl 'login name' _ssh_users -S '' && ret=0
      else
        if (( $+opt_args[-l] )); then
          tmp=()
        else
          tmp=( 'users:login name:_ssh_users -qS@' )
        fi
        _alternative \
            'hosts:remote host name:_ssh_hosts' \
            "$tmp[@]" && ret=0
      fi
      ;;
    file)
      if compset -P 1 '[^./][^/]#:'; then
        _remote_files -- ssh ${(kv)~opt_args[(I)-[FP1246]]/-P/-p} && ret=0
      elif compset -P 1 '*@'; then
        suf=( -S '' )
        compset -S ':*' || suf=( -r: -S: )
        _wanted hosts expl 'remote host name' _ssh_hosts $suf && ret=0
      else
        _alternative \
            'files:: _files' \
            'hosts:remote host name:_ssh_hosts -r: -S:' \
            'users:user:_ssh_users -qS@' && ret=0
      fi
      ;;
    rfile)
      if compset -P 1 '*:'; then
        _remote_files -- ssh && ret=0
      elif compset -P 1 '*@'; then
        _wanted hosts expl host _ssh_hosts -r: -S: && ret=0
      else
        _alternative \
            'hosts:remote host name:_ssh_hosts -r: -S:' \
            'users:user:_ssh_users -qS@' && ret=0
      fi
      ;;
    esac
  done

  return ret
}

_ssh_users () {
  _combination -s '[:@]' my-accounts users-hosts users "$@"
}

_ssh_hosts () {
  local -a config_hosts
  local config
  integer ind

  if [[ "$IPREFIX" == *@ ]]; then
    _combination -s '[:@]' my-accounts users-hosts "users=${IPREFIX/@}" hosts "$@"
  else
    _combination -s '[:@]' my-accounts users-hosts \
      ${opt_args[-l]:+"users=${opt_args[-l]:q}"} hosts "$@"
  fi
  if (( ind = ${words[(I)-F]} )); then
    config=${~words[ind+1]} 2>/dev/null
  else
    config="$HOME/.ssh/config"
  fi
  if [[ -r $config ]]; then
    local key hosts host
    while IFS=$'=\t ' read -r key hosts; do
      if [[ "$key" == (#i)host ]]; then
         for host in ${(z)hosts}; do
            case $host in
            (*[*?]*) ;;
            (*) config_hosts+=("$host") ;;
            esac
         done
      fi
    done < "$config"
    if (( ${#config_hosts} )); then
      _wanted hosts expl 'remote host name' \
        compadd -M 'm:{a-zA-Z}={A-Za-z} r:|.=* r:|=*' "$@" $config_hosts
    fi
  fi
}

_ssh "$@"