PORT FORWARDING

-R is if you want to permit access "to a final destination your your computer".
-L is what I usually want, so that I can forward to a web server or Sun
 server out of my immediate control.

ssh -gfNxL local-listen-port:dest-host:dest-port midu@mid-host:middle-port
    This starts up a normal shell on mid-host as the midu.
    While that shell runs, connections to destu@local-host:local-listen-port
     will be forwarded to destu@dest-host:dest-port.
    The midu@mid-host shell will block (before exiting) on any connections
     using it.

VERY USEFUL ssh SWITCHES
    -f:  Foreground just for authentication
    -o 'UserKnownHostsFile /tmp/kh':  Override the normal knownhosts file.
    -o 'StrictHostKeyChecking no':  Automatically contain knownhosts file.
    -o 'PreferredAuthentications publickey,password'
    -X: enable X forwarding (default /etc/ssh/ssh_config prohibits X
        forwarding )
    -x: disable X forwarding
    -F ~/ssh/config.file
    -i identity.file

VERY USEFUL scp SWITCHES
    -p:  Perms
    -C:  Compress
    -r:  Recursive
    -o 'UserKnownHostsFile /tmp/kh':  Override the normal knownhosts file.
    -o 'StrictHostKeyChecking no':  Automatically contain knownhosts file.
    -o 'PreferredAuthentications publickey,password'

~/.ssh/config precedence
All qualifying (via host matching) settings are applied in the order given,
but only the first match for each setting is applied.
Specificity of host-matching doesn't matter.
Therefore, put SPECIFIC settings high in file and defaults down bottom.
For example:
    host x
        hostname localhost
    host *
        user star
        hostname override
"ssh x" would result in applying hostname=localhost, user=star

sshfs seems a better way to gvim a remote file, because X forwarding of gvim
always crashes for me, both on Suse and ArchLinux.
https://stackoverflow.com/questions/2136127/how-to-use-gvim-to-edit-a-remote-file#3712291


KnownHosts
SSH will ALWAYS write a KnownHosts record.  Dumb.
Closest you can get to not doing the check is to set strict* to no, and set the file to /dev/null so it will write to nowhere.


PreferredAuthentications
private key access is:  publickey
password is obviously...
keyboard-interactive supports PAM and SSO and will do passwords if the host is configured to.

'Authentication' (aka "method") for Kerberos is "gssapi-with-mic".


ENV SETUP
~/.ssh/environment.  Only honored if sshd sets PermitUserEnvironment
~/.ssh/rc  Can only write to stderr, not stdout
  If using X, must invoke xauth
  Env variable settings do not persist.