On 2/18/22 13:36, Brian Candler wrote: [snip]> (Idea is to make a direct connection to a host on IPv6 where possible, > but when connecting from an IPv4-only network fallback to SOCKS)Several people have written about something similar in various blog posts and microblog posts in recent years[1]. Use of Match Exec in ssh_config(5) seems to be the way that is approached: Match host ipv6only.example.org User fred Match host ipv6only.example.org !exec "route -n get -inet6 %h" ProxyJump dualstack.example.org That would allow you to connect directly to the one system if there is IPv6 connectivity and hop through a bastion / jump host first if only IPv4 connectivity is possible. The match blocks can be made more general with patterns, of course. Exec could use route(8), ping(8), nc(1), or a custom script. In order to use a SOCKS5 proxy in place of a jump host, ProxyCommand could use nc(1) in place of a plain ProxyJump. /Lars [1] Since it doesn't seem to be such a rare task, I've put a summary in a section of this chapter: https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Proxies_and_Jump_Hosts#Conditional_Use_of_Jump_Hosts
On Fri, Feb 18, 2022 at 02:13:15PM +0200, Lars Nood?n wrote:> On 2/18/22 13:36, Brian Candler wrote: > [snip] > > (Idea is to make a direct connection to a host on IPv6 where possible, > > but when connecting from an IPv4-only network fallback to SOCKS) > > Several people have written about something similar in various blog > posts and microblog posts in recent years[1]. Use of Match Exec in > ssh_config(5) seems to be the way that is approached: > > Match host ipv6only.example.org > User fred > > Match host ipv6only.example.org !exec "route -n get -inet6 %h" > ProxyJump dualstack.example.org > > That would allow you to connect directly to the one system if there is > IPv6 connectivity and hop through a bastion / jump host first if only > IPv4 connectivity is possible. The match blocks can be made more > general with patterns, of course. > > Exec could use route(8), ping(8), nc(1), or a custom script. >I have something similar that detects whether I am on the same LAN as the destination system, and uses ProxyJump if not:- # # # esprimo may be remote or local (particularly from t470), if it's remote # connect via cheddar.halon. # Match host esprimo exec "! ping -w 1 -c 1 esprimo >/dev/null 2>&1" Hostname zbmc.eu ProxyJump cheddar.halon.org.uk -- Chris Green
On Fri, 18 Feb 2022 14:13:15 +0200 Lars Nood?n <lars.nooden at gmx.com> wrote: [SNIP]> Use of Match Exec in > ssh_config(5) seems to be the way that is approached: > > Match host ipv6only.example.org > User fred > > Match host ipv6only.example.org !exec "route -n get -inet6 %h" > ProxyJump dualstack.example.org > > That would allow you to connect directly to the one system if there is > IPv6 connectivity and hop through a bastion / jump host first if only > IPv4 connectivity is possible. The match blocks can be made more > general with patterns, of course. > > Exec could use route(8), ping(8), nc(1), or a custom script.Okay, that is super cool. I took a look at that wiki page and learned some things.> https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Proxies_and_Jump_Hosts#Conditional_Use_of_Jump_HostsThis reminds me of a related thing I've been wondering about. For the second case mentioned in that wiki page, which depends on whether you're connected to a given LAN or not, wouldn't it be nice to have a convenient and hard-to-spoof way to check that, rather than blindly trust hostnames? I keep thinking that seems like something ssh could do very well, but so far I haven't figured out how to approach it. Can I instruct ssh to (for example) initiate a connection with 192.168.1.1, authenticate the remote host's identity against a custom known_hosts file, hang up without trying to log in or anything, and return a simple yes/no ? or better, on success return the line number of the matching known_hosts entry? Any suggestions? Cheers! -Chris