.Op Fl p Ar port
.Oo Fl L Xo
.Sm off
-.Ar host :
.Ar port :
+.Ar host :
.Ar hostport
.Sm on
.Xc
.Oc
.Oo Fl R Xo
.Sm off
-.Ar host :
.Ar port :
+.Ar host :
.Ar hostport
.Sm on
.Xc
The recommended way to start X11 programs at a remote site is with
something like
.Ic ssh -f host xterm .
+.It Fl g
+Allows remote hosts to connect to local forwarded ports.
.It Fl i Ar identity_file
Selects the file from which the identity (private key) for
RSA authentication is read. Default is
.Fl i
options (and multiple identities specified in
configuration files).
-.It Fl g
-Allows remote hosts to connect to local forwarded ports.
.It Fl k
Disables forwarding of Kerberos tickets and AFS tokens. This may
also be specified on a per-host basis in the configuration file.
.It Fl C
Requests compression of all data (including stdin, stdout, stderr, and
data for forwarded X11 and TCP/IP connections). The compression
-algorithm is the same used by gzip, and the
+algorithm is the same used by
+.Xr gzip 1 ,
+and the
.Dq level
can be controlled by the
.Cm CompressionLevel
.Dq yes
or
.Dq no .
+.It Cm CheckHostIP
+If this flag is set to
+.Dq yes ,
+ssh will additionally check the host ip address in the
+.Pa known_hosts
+file. This allows ssh to detect if a host key changed due to DNS spoofing.
+If the option is set to
+.Dq no ,
+the check will not be executed.
.It Cm Cipher
Specifies the cipher to use for encrypting the session. Currently,
.Dq blowfish ,
Specifies the compression level to use if compression is enable. The
argument must be an integer from 1 (fast) to 9 (slow, best). The
default level is 6, which is good for most applications. The meaning
-of the values is the same as in GNU GZIP.
+of the values is the same as in
+.Xr gzip 1 .
.It Cm ConnectionAttempts
Specifies the number of tries (one per second) to make before falling
back to rsh or exiting. The argument must be an integer. This may be
host:port. Multiple forwardings may be specified, and additional
forwardings can be given on the command line. Only the root can
forward privileged ports.
-.It Cm PasswordAuthentication
-Specifies whether to use password authentication. The argument to
-this keyword must be
-.Dq yes
-or
-.Dq no .
.It Cm LogLevel
Gives the verbosity level that is used when logging messages from
.Nm ssh .
.It Cm NumberOfPasswordPrompts
Specifies the number of password prompts before giving up. The
argument to this keyword must be an integer. Default is 3.
+.It Cm PasswordAuthentication
+Specifies whether to use password authentication. The argument to
+this keyword must be
+.Dq yes
+or
+.Dq no .
.It Cm Port
Specifies the port number to connect on the remote host. Default is
22.
.Dq no .
The default is
.Dq no .
-.It Cm CheckHostIP
-If this flag is set to
-.Dq yes ,
-ssh will additionally check the host ip address in the
-.Pa known_hosts
-file. This allows ssh to detect if a host key changed due to DNS spoofing.
-If the option is set to
-.Dq no ,
-the check will not be executed.
.It Cm StrictHostKeyChecking
If this flag is set to
.Dq yes ,
.Dq yes
or
.Dq no .
-.It Cm User
-Specifies the user to log in as. This can be useful if you have a
-different user name in different machines. This saves the trouble of
-having to remember to give the user name on the command line.
-.It Cm UserKnownHostsFile
-Specifies a file to use instead of
-.Pa $HOME/.ssh/known_hosts .
.It Cm UsePrivilegedPort
Specifies whether to use a privileged port for outgoing connections.
The argument must be
.Cm RhostsAuthentication
and
.Cm RhostsRSAAuthentication .
+.It Cm User
+Specifies the user to log in as. This can be useful if you have a
+different user name in different machines. This saves the trouble of
+having to remember to give the user name on the command line.
+.It Cm UserKnownHostsFile
+Specifies a file to use instead of
+.Pa $HOME/.ssh/known_hosts .
.It Cm UseRsh
Specifies that rlogin/rsh should be used for this host. It is
possible that the host does not at all support the