Disables authentication agent forwarding. In the factory settings, agent forwarding is enabled.

Enables authentication agent forwarding. In the factory settings, agent forwarding is enabled, but it can be denied in the Connection Broker configuration file, in which case users cannot enable it on the command-line and this +a will be ignored.

Uses batch mode. Fails authentication if it requires user interaction on the terminal.

Using batch mode requires that you have previously saved the server host key on the client and set up a non-interactive method for user authentication (for example, host-based authentication or public-key authentication without a passphrase).

Disables compression from the current connection.

Enables zlib compression for this particular connection.

Sets the allowed ciphers to be offered to the server. List the cipher names in a comma-separated list. For example:

--ciphers seed-cbc@ssh.com,aes256-cbc

Enter help as the value to view the currently supported cipher names.

Sets the debug level. LEVEL is a number from 0 to 99, where 99 specifies that all debug information should be displayed. This should be the first argument on the command line.

	Note
	Option -D only applies on Unix. On Windows, instead of this command-line tool, use the Connection Broker debugging options -D, -l.

	Note
	The debug level can be set only when the sshg3 command starts the Connection Broker. This option has no effect in the command if the Connection Broker is already running.

Sets escape character (none: disabled, default: ~).

Forks into background mode after authentication (Unix only). Use this option with tunnels and remote commands. Implies -S (unless a command is specified). When tunnels have been specified, this option makes sshg3 stay in the background, so that it will wait for connections indefinitely. sshg3 has to be killed to stop listening.

Gateways ports, which means that also other hosts may connect to locally forwarded ports. This option has to be specified before the "-L" option. Note the logic of + and - in this option.

Does not gateway ports. Listens to tunneling connections originating only from the localhost. This is the default value. Note the logic of + and - in this option.

Defines that private keys defined in the identification file are used for public-key authentication.

Defines that the given key file of a private key or certificate is used in user authentication. The path to the key file is given in the command.

If the file is a private key, it will be read and compared to the keys already known by the Connection Broker key store. If the key is not known, it will be decoded and added to the key store temporarily. If the file is a certificate and Connection Broker knows a matching private key, it will be used. Both the certificate and the private key can be given using multiple -K options on command line.

Forwards a port on the local (client) host to a remote destination host and port.

This allocates a listener port (listen-port) on the local client. Whenever a connection is made to this listener, the connection is tunneled over Secure Shell to the remote server and another connection is made from the server to a specified destination host and port (dst-host:dst-port). The connection from the server onwards will not be secure, it is a normal TCP connection.

Giving the argument protocol enables protocol-specific forwarding. The protocols implemented are tcp (default, no special processing), ftp (temporary forwarding is created for FTP data channels, effectively securing the whole FTP session), and socks.

With the socks protocol, the syntax of the argument is "-L socks/[listen-address:]listen-port". When this is set, Tectia Client or ConnectSecure will act as a SOCKS server for other applications, creating forwards as requested by the SOCKS transaction. This supports both SOCKS4 and SOCKS5.

If listen-address is given, only that interface on the client is listened. If it is omitted, all interfaces are listened.

Logs in using this username.

Sets the allowed MACs to be offered to the server. List the MAC names in a comma-separated list. For example:

--macs hmac-sha1-96,hmac-md5,hmac-md5-96

Enter help as the value to view the currently supported MAC names.

Sets the allowed key exchange (KEX) methods to be offered to the server. List the KEX names in a comma-separated list. For example:

--kexs diffie-hellman-group14-sha224@ssh.com,diffie-hellman-group14-sha256@ssh.com

Enter help as the value to view the currently supported KEX methods.

Due to issues in OpenSSL, the following KEXs cannot operate in the FIPS mode: diffie-hellman-group15-sha256@ssh.com and diffie-hellman-group15-sha384@ssh.com.

Sets the allowed host key algorithms to be offered to the server. List the host key algorithms in a comma-separated list. For example:

--hostkey-algs ssh-dss-sha224@ssh.com,ssh-dss-sha256@ssh.com

Enter help as the value to view the currently supported host key algorithms.

Redirects input from /dev/null (Unix) and from NUL (Windows).

Processes an option as if it was read from a Tectia Client 4.x-style configuration file. The supported options are ForwardX11, ForwardAgent, AllowedAuthentications and PidFile. For example, -o "ForwardX11=yes". Also -o "PidFile=/tmp/sshg3.pid" makes sshg3 to store its process ID into file "/tmp/sshg3.pid" if it goes into background.

Sets user password that the client will send as a response to password authentication. The PASSWORD can be given directly as an argument to this option (not recommended). Better alternatives are entering a path to a file containing the password (--password=file://PASSWORDFILE), or entering a path to a program or script that outputs the password (--password=extprog://PROGRAM).

When using the extprog:// option to refer to a shell script, make sure the script also defines the user's shell, and outputs the actual password. Otherwise the executed program fails, because it does not know what shell to use for the shell script. For example, if the password string is defined in a file named my_password.txt, and you want to use the bash shell, include these lines in the script:

#!/usr/bash
cat /full/pathname/to/my_password.txt

Caution

Supplying the password on the command line is not a secure option. For example, in a multi-user environment, the password given directly on the command line is trivial to recover from the process table. You should set up a more secure way to authenticate. For non-interactive batch jobs, it is more secure to use public-key authentication without a passphrase, or host-based authentication. At a minimum, use a file or a program to supply the password.

Connects to this port on the remote host. A Secure Shell server must be listening on the same port.

Quiet mode, reports only fatal errors. This option overrides the quiet-mode setting made in the Connection Broker configuration file.

Forwards a port on the remote (server) host to a destination host and port on the local side.

This allocates a listener port (listen-port) on the remote server. Whenever a connection is made to this listener, the connection is tunneled over Secure Shell to the local client and another connection is made from the client to a specified destination host and port (dst-host:dst-port). The connection from the client onwards will not be secure, it is a normal TCP connection.

Giving the argument protocol enables protocol-specific forwarding. The protocols implemented are tcp (default, no special processing) and ftp (temporary forwarding is created for FTP data channels, effectively securing the whole FTP session).

If listen-address is given, only that interface on the server is listened. If it is omitted, all interfaces are listened.

Does not request a session channel. This can be used with port-forwarding requests if a session channel (and tty) is not needed, or the server does not give one.

Requests a session channel. This is the default value.

Sets a subsystem or a service to be invoked on the remote server. The subsystem is specified as a remote command. For example: sshg3 -s sftp <server>

Allocates a tty even if a command is given.

Uses verbose mode. More information or error diagnostics are output if a connection fails.

Does not try an empty password.

Tries an empty password.

Disables X11 connection forwarding. This is the default value.

Enables X11 connection forwarding.

Sets the Connection Broker log file to FILE. This option works only if ssh-broker-g3 gets started by this process).

Aborts if creating a tunnel listener fails (for example, if the port is already reserved).

Defines the only allowed methods that can be used in user authentication. List the methods in a comma-separated list. Enter help as the value to view the currently supported authentication methods.

Sets the allowed compression methods to be offered to the server. List the methods in a comma-separated list.

Enter help as the value to view the currently supported compression methods.

Defines that a new connection will be opened for each connection attempt, otherwise Connection Broker can reuse recently closed connections.

Defines that the ID of the private key is used in user authentication. The ID can be Connection Broker-internal ordinary number of the key, the key hash or the key file name.

Defines the private key used in user authentication with the corresponding public key hash.

Defines that the Connection Broker-internal ordinary number of the key is used in user authentication.

Defines how often keep-alive messages are sent to the Secure Shell server. Enter the value as seconds. The default value is 0, meaning that keep-alive messages are disabled.

When this option is used, the defined environment variables are passed to the server from the client side. The environment variables are applied on the server when requesting a command, shell or subsystem.

Note that the server can restrict the setting of environment variables.

You can also configure the environment variables to be passed to the server in the ssh-broker-config.xml configuration file with the <remote-environment> element in the default-settings and per profile. See remote-environment.

If the same variable is entered on the command-line client and configured in the ssh-broker-config.xml, the command-line version will be used.

The defined environment variables are passed to the server from the client side. The Connection Broker processes the value before sending it to the server.

You can use %U in the value to indicate a user name. The Connection Broker replaces the %U with the actual user name before sending it to the server.

For more information, see the --remote-environment option above.

Defines a timeout period (in seconds) for establishing a TCP connection to the Secure Shell server. Enter the value as a positive number.

Displays program version and exits.

Displays a short summary of command-line options and exits.

Runs the command on a remote host.

Enables a service in remote server.

Terminates the connection.

Suspends the session.

Sends the escape character literally.

Lists forwarded connections.

Disables the escape character irrevocably.

Displays a summary of escape sequences.

Initiates rekeying manually.

Gives connection statistics, including server and client version, packets in, packets out, compression, key exchange algorithms, public-key algorithms, and symmetric ciphers.

Uploads the chosen public key automatically to the server. If the user has only one key, it will be uploaded. Otherwise the largest key with a name that matches id_dsa_<size>_a will be selected.

Uploads a public key to the server. A list of available keys is printed and the user is prompted to select one to be uploaded.

Gives statistics for individual channels (data window sizes etc). This is for debugging purposes.

Dumps the client version number to stderr (useful for troubleshooting).

The DISPLAY variable indicates the location of the X11 server. It is automatically set by the server to point to a value of the form hostname:n where hostname indicates the host on which the server and the shell are running, and n is an integer greater than or equal to 1. sshg3 uses this special value to forward X11 connections over the secure channel.

The user should normally not set DISPLAY explicitly, as that will render the X11 connection unsecured (and will require the user to manually copy any required authorization cookies).

The user's home directory.

Synonym for USER; set for compatibility with systems using this variable.

The user's mailbox.

Set to the default PATH, depending on the operating system or, on some systems, /etc/environment or /etc/default/login.

The address of the SOCKS server used by sshg3.

If this exists, it is used to indicate the path of a Unix-domain socket used to communicate with the authentication agent (or its local representative).

Identifies the client end of the connection. The variable contains three space-separated values: client IP address, client port number, and server port number.

This will be the original command given to sshg3 if a forced command is run. It can be used, for example, to fetch arguments from the other end. This does not have to be a real command, it can be the name of a file, device, parameters or anything else.

This is set to the name of the tty (path to the device) associated with the current shell or command. If the current session has no tty, this variable is not set.

The time-zone variable is set to indicate the present time zone if it was set when the server was started (the server passes the value to new connections).

The name of the user.