Jochen Bern
2025-Jun-30 10:41 UTC
Config to have "ssh too-old-host" error out (with chosen message, and sans actual connection attempt)?
Hello, I applied major updates to the workplace machines, the effect being that ssh/scp/sftp now refuse to connect to a couple legacy hosts. I'll be pinpointing workarounds to access those, but once these are in place, I'd like to change .ssh/config so that when muscle memory does a "ssh too-old-host" again, I get output to the effect of "use the 'foo bar baz' command instead" (and ideally, OpenSSH itself does not even *attempt* to connect). LocalCommand doesn't execute (because ssh never gets post auth), and ProxyCommand seems to be unable, too (because its output apparently gets swallowed *entirely* by ssh). Is there an .ssh/config trick to that effect that I don't see? If not, may I suggest a config option "Refuse [optional message]" as a new feature? (I'm *not* asking for a way to "*execute* something entirely different *instead* of ssh" because of several reasons - one being that it'd allow configs to get silently "backdoored" so as to connect target hosts by less-secure-than-policy-says methods.) Thanks in advance, -- Jochen Bern Systemingenieur Binect GmbH -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4336 bytes Desc: S/MIME Cryptographic Signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20250630/8b4c2308/attachment-0001.p7s>
Brian Candler
2025-Jun-30 11:09 UTC
Config to have "ssh too-old-host" error out (with chosen message, and sans actual connection attempt)?
On 30/06/2025 11:41, Jochen Bern wrote:> I'd like to change .ssh/config so that when muscle memory does a "ssh > too-old-host" again, I get output to the effect of "use the 'foo bar > baz' command instead" (and ideally, OpenSSH itself does not even > *attempt* to connect). > ... > Is there an .ssh/config trick to that effect that I don't see?You could abuse a text config setting, like Host foobar Hostname ": You should use ssh -O PubkeyAcceptedAlgorithms=+ssh-rsa" which gives me: % ssh foobar ssh: Could not resolve hostname : You should use ssh -O PubkeyAcceptedAlgorithms=+ssh-rsa: nodename nor servname provided, or not known Or BindInterface: % ssh foobar getifaddrs: You should use ssh -O PubkeyAcceptedAlgorithms=+ssh-rsa: no suitable addresses getifaddrs: You should use ssh -O PubkeyAcceptedAlgorithms=+ssh-rsa: no suitable addresses Although of course, if that were the problem, you could simply apply the fix instead: Host foobar PubkeyAcceptedAlgorithms +ssh-rsa
Darren Tucker
2025-Jun-30 11:46 UTC
Config to have "ssh too-old-host" error out (with chosen message, and sans actual connection attempt)?
On Mon, 30 Jun 2025 at 20:47, Jochen Bern <Jochen.Bern at binect.de> wrote:> [...] I'd like to change .ssh/config so that when muscle memory does a > "ssh too-old-host" again, I get output to the effect of "use the 'foo > bar baz' command instead" (and ideally, OpenSSH itself does not even > *attempt* to connect). > [...] > ProxyCommand seems to be unable, too (because its output apparently gets > swallowed *entirely* by ssh). >Its stdout does (since that's its purpose), but its stderr doesn't: $ cat config ProxyCommand sh -c "echo use foo instead >&2" $ ssh -F ./config foo bar use foo instead Connection closed by UNKNOWN port 65535 -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Damien Miller
2025-Jul-04 00:48 UTC
Config to have "ssh too-old-host" error out (with chosen message, and sans actual connection attempt)?
On Mon, 30 Jun 2025, Jochen Bern wrote:> Hello, I applied major updates to the workplace machines, the effect being > that ssh/scp/sftp now refuse to connect to a couple legacy hosts. I'll be > pinpointing workarounds to access those, but once these are in place, I'd like > to change .ssh/config so that when muscle memory does a "ssh too-old-host" > again, I get output to the effect of "use the 'foo bar baz' command instead" > (and ideally, OpenSSH itself does not even *attempt* to connect).Try this: RefuseConnection "deprecated: use blah instead" $ ssh foo /home/djm/.ssh/config line 1: RefuseConnection: deprecated: use blah instead (Name chosen for symmetry with the sshd_config RefuseConnnection, though maybe that doesn't make sense...) diff --git a/readconf.c b/readconf.c index 692dc15..39d5c8c 100644 --- a/readconf.c +++ b/readconf.c @@ -164,7 +164,7 @@ typedef enum { oPubkeyAcceptedAlgorithms, oCASignatureAlgorithms, oProxyJump, oSecurityKeyProvider, oKnownHostsCommand, oRequiredRSASize, oEnableEscapeCommandline, oObscureKeystrokeTiming, oChannelTimeout, - oVersionAddendum, + oVersionAddendum, oRefuseConnection, oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported } OpCodes; @@ -316,6 +316,7 @@ static struct { { "obscurekeystroketiming", oObscureKeystrokeTiming }, { "channeltimeout", oChannelTimeout }, { "versionaddendum", oVersionAddendum }, + { "refuseconnection", oRefuseConnection }, { NULL, oBadOption } }; @@ -2486,6 +2487,19 @@ parse_pubkey_algos: argv_consume(&ac); break; + case oRefuseConnection: + arg = argv_next(&ac, &av); + if (!arg || *arg == '\0') { + error("%.200s line %d: Missing argument.", + filename, linenum); + goto out; + } + if (*activep) { + fatal("%.200s line %d: RefuseConnection: %s", + filename, linenum, arg); + } + break; + case oDeprecated: debug("%s line %d: Deprecated option \"%s\"", filename, linenum, keyword); diff --git a/ssh_config.5 b/ssh_config.5 index 341249f..e8def9c 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -1716,6 +1716,15 @@ disabling or enabling the OpenSSH host-bound authentication protocol extension required for restricted .Xr ssh-agent 1 forwarding. +.It Cm RefuseConnection +Allows a connection to be refused by the configuration file. +If this option is specified, then +.Xr ssh 1 +will terminate immediately before attempting to connect to the remote +host, display an error message that contains the argument to this keyword +and return a non-zero exit status. +This option may be useful to express reminders or warnings to the user via +.Nm . .It Cm RekeyLimit Specifies the maximum amount of data that may be transmitted or received before the session key is renegotiated, optionally followed by a maximum