Darren Tucker
2025-Jun-30 11:46 UTC
Config to have "ssh too-old-host" error out (with chosen message, and sans actual connection attempt)?
On Mon, 30 Jun 2025 at 20:47, Jochen Bern <Jochen.Bern at binect.de> wrote:> [...] I'd like to change .ssh/config so that when muscle memory does a > "ssh too-old-host" again, I get output to the effect of "use the 'foo > bar baz' command instead" (and ideally, OpenSSH itself does not even > *attempt* to connect). > [...] > ProxyCommand seems to be unable, too (because its output apparently gets > swallowed *entirely* by ssh). >Its stdout does (since that's its purpose), but its stderr doesn't: $ cat config ProxyCommand sh -c "echo use foo instead >&2" $ ssh -F ./config foo bar use foo instead Connection closed by UNKNOWN port 65535 -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Darren Tucker
2025-Jun-30 12:04 UTC
Config to have "ssh too-old-host" error out (with chosen message, and sans actual connection attempt)?
On Mon, 30 Jun 2025 at 21:46, Darren Tucker <dtucker at dtucker.net> wrote:> On Mon, 30 Jun 2025 at 20:47, Jochen Bern <Jochen.Bern at binect.de> wrote: > >> [...] I'd like to change .ssh/config so that when muscle memory does a >> "ssh too-old-host" again, I get output to the effect of "use the 'foo >> bar baz' command instead" (and ideally, OpenSSH itself does not even >> *attempt* to connect). >> [...] >> ProxyCommand seems to be unable, too (because its output apparently gets >> swallowed *entirely* by ssh). >> > > Its stdout does (since that's its purpose), but its stderr doesn't: > > $ cat config > ProxyCommand sh -c "echo use foo instead >&2" > $ ssh -F ./config foo bar > use foo instead > Connection closed by UNKNOWN port 65535 >You could also set LogLevel quiet to suppress the "connection closed": $ cat config Host bar ProxyCommand sh -c "echo use foo instead >&2" LogLevel quiet $ ssh -F ./config bar use foo instead -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Jochen Bern
2025-Jun-30 12:14 UTC
Config to have "ssh too-old-host" error out (with chosen message, and sans actual connection attempt)?
On 30.06.25 13:46, Darren Tucker wrote:> On Mon, 30 Jun 2025 at 20:47, Jochen Bern <Jochen.Bern at binect.de<mailto:Jochen.Bern at binect.de>> wrote: > > ProxyCommand seems to be unable, too (because its output apparently gets > > swallowed *entirely* by ssh). > > Its stdout does (since that's its purpose), but its stderr doesn't: > > $ cat config > ProxyCommand sh -c "echo use foo instead >&2" > > $ ssh -F ./config foo bar > use foo instead > Connection closed by UNKNOWN port 65535Ah ... I had tried ">&2" *without* the additional explicit shell (level), thanks, works well. Whereas ... On 30.06.25 13:09, Brian Candler wrote:> You could abuse a text config setting, like > > Host foobar > Hostname ": You should use ssh -O PubkeyAcceptedAlgorithms=+ssh-rsa"[...]> Or BindInterface... these both escape the ANSI control sequences I added, alas. :-3> Although of course, if that were the problem, you could simply apply the > fix instead: > PubkeyAcceptedAlgorithms +ssh-rsaI've been using a bunch of *those* for quite a while (because I upped my *default* cryptalgorithm settings *beyond* the back-then OS policy some time ago), and the OS Changelog's remark "OpenSSL libs now refuse signatures with SHA-1" doesn't seem to be *exact*, either. What I've seen getting *specifically* refused is my local ssh-agent signing with the older (and shorter, 4kb) RSA keypair, but that doesn't seem to explain *all* the now-failing connections, either ... Thanks again, -- Jochen Bern Systemingenieur Binect GmbH -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4336 bytes Desc: S/MIME Cryptographic Signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20250630/943add57/attachment.p7s>
Brian Candler
2025-Jun-30 12:26 UTC
Config to have "ssh too-old-host" error out (with chosen message, and sans actual connection attempt)?
On 30/06/2025 12:46, Darren Tucker wrote:> Its stdout does (since that's its purpose), but its stderr doesn't:Aside: this doesn't work for me when session sharing options are applied: ------ 8< ------ Host foobar ProxyCommand sh -c "echo use foo instead >&2" Host * ? ControlMaster auto ? ControlPersist 2 ? ControlPath %d/tmp/ssh_mux_%h_%p_%r ------ 8< ------- % ssh foobar Connection closed by UNKNOWN port 65535 And yet: % ssh -v foobar ... debug1: Local version string SSH-2.0-OpenSSH_9.9 use foo instead kex_exchange_identification: Connection closed by remote host Connection closed by UNKNOWN port 65535 I guess this is because the connection handler is being punted off to a background process?