openssh unix dev - Mar 2024 - Compounding global and individual settings in ssh-config files?

Hello everyone,

my workplace has gotten the idea of centrally maintaining a file in 
ssh_config syntax so that employees do not need to discover every new 
machine and configure it on their own. Since it's a case of "let's
get
started now, and properly think it through later", right now, a typical 
entry might look like
> Host    [product]-[Customer]
>         Hostname        [privateIP]
>         user            [primaryAccount]
>         ProxyCommand nc -x 127.0.0.1:2124 -X 5 %h %p
(with the parts in [] varying from one machine to the next) - and if you 
know how disparate the options of "nc"/netcat can look from one
distrib
to the next, you'll immediately know why this suggestion has me 
concerned. :-}

I suppose that *this* particular instance of the problem can be mostly 
fixed, either by switching to "ProxyJump" (referring to a config entry
that every user maintains himself) or with a wrapper script?, but it has 
me wondering: Are there plans, or even better already-implemented 
mechanisms, that would allow entries in (global) config files to 
"inherit"? single config lines preset in another (individual) config
file?

? Note that as of now, the names do *not* include which platform the 
machine is running on, but the proper proxying depends on that. So, no 
using "Host" blocks with patterns unless I can get everyone to using 
*my* host-naming style. :-/

? Please take the term with a planetoid of salt. I do not have a 
preference whether it should be, or act like, "inheritance" like in 
Nagios object configs, "includes", "variables",
"templates", or
whatever. :-3

? Yes, I suppose that providing just the main data - name, IP, user, 
port (if nonstandard) and which proxy to use - from a central source and 
individually turning that into an ssh_config with some preprocessor 
could also prove a powerful solution here ...

Thanks in advance,
-- 
Jochen Bern
Systemingenieur

Binect GmbH
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3449 bytes
Desc: S/MIME Cryptographic Signature
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20240328/48e91274/attachment.p7s>

> On Mar 28, 2024, at 13:24, Jochen Bern <Jochen.Bern at binect.de>
wrote:
> 
> ?[ProxyCommand with 'nc'...] if you know how disparate the options
of "nc"/netcat can look from one distrib to the next, you'll
immediately know why this suggestion has me concerned. :-}
I may be misremembering or completely wrong, but isn't 'ssh -W'
intended to be a replacement for 'nc' in ProxyCommands?

On Thu, Mar 28, 2024 at 09:16:56PM +0100, Jochen Bern
wrote:
> ...
> Are there plans, or even better already-implemented mechanisms,
> that would allow entries in (global) config files to "inherit"?
single
> config lines preset in another (individual) config file?
>... 
Check the `Include` section of the ssh_config manpage

-c

On Thu, 28 Mar 2024, Jochen Bern wrote:
> I suppose that *this* particular instance of the problem can be mostly
fixed,
> either by switching to "ProxyJump" (referring to a config entry
that every
> user maintains himself) or with a wrapper script?, but it has me wondering:
> Are there plans, or even better already-implemented mechanisms, that would
> allow entries in (global) config files to "inherit"? single
config lines
> preset in another (individual) config file?
This isn't exactly what you asked for, but you might be able to solve
this problem using Tag / match tagged, but it involves almost the
opposite of inheritance.