from user “john”, if
       PermitRootLogin is set to “forced‐commands‐only”:

         tunnel="1",command="sh /etc/netstart tun1" ssh‐rsa ... jane
         tunnel="2",command="sh /etc/netstart tun2" ssh‐rsa ... john

       Since an SSH‐based setup entails a fair amount of overhead,  it  may  be
       more suited to temporary setups, such as for wireless VPNs.  More perma‐
       nent  VPNs  are  better  provided  by  tools  such  as  ipsecctl(8)  and
       isakmpd(8).

ENVIRONMENT
       ssh will normally set the following environment variables:

       DISPLAY               The DISPLAY variable indicates the location of the
                             X11 server.  It is automatically  set  by  ssh  to
                             point  to  a value of the form “hostname:n”, where
                             “hostname” indicates  the  host  where  the  shell
                             runs,  and  ‘n’  is an integer ≥ 1.  ssh uses this
                             special value to forward X11 connections over  the
                             secure  channel.  The user should normally not set
                             DISPLAY explicitly, as that will  render  the  X11
                             connection  insecure (and will require the user to
                             manually copy any required authorization cookies).

       HOME                  Set to the path of the user’s home directory.

       LOGNAME               Synonym for USER; set for compatibility with  sys‐
                             tems that use this variable.

       MAIL                  Set to the path of the user’s mailbox.

       PATH                  Set to the default PATH, as specified when compil‐
                             ing ssh.

       SSH_ASKPASS           If  ssh  needs  a  passphrase,  it  will  read the
                             passphrase from the current terminal if it was run
                             from a terminal.  If ssh does not have a  terminal
                             associated with it but DISPLAY and SSH_ASKPASS are
                             set,  it  will  execute  the  program specified by
                             SSH_ASKPASS and open an X11  window  to  read  the
                             passphrase.   This  is  particularly  useful  when
                             calling ssh from a .xsession  or  related  script.
                             (Note that on some machines it may be necessary to
                             redirect  the  input  from  /dev/null to make this
                             work.)

       SSH_ASKPASS_REQUIRE   Allows further control over the use of an  askpass
                             program.   If this variable is set to “never” then
                             ssh will never attempt to use one.  If it  is  set
                             to  “prefer”,  then  ssh  will  prefer  to use the
                             askpass program instead of the TTY when requesting
                             passwords.  Finally, if the  variable  is  set  to
                             “force”, then the askpass program will be used for
                             all passphrase input regardless of whether DISPLAY
                             is set.

       SSH_AUTH_SOCK         Identifies  the  path of a Unix‐domain socket used
                             to communicate with the agent.

       SSH_CONNECTION        Identifies the client and server ends of the  con‐
                             nection.   The  variable contains four space‐sepa‐
                             rated values: client IP address, client port  num‐
                             ber, server IP address, and server port number.

       SSH_ORIGINAL_COMMAND  This  variable  contains the original command line
                             if a forced command is executed.  It can  be  used
                             to extract the original arguments.

       SSH_TTY               This  is  set