openssh unix dev - Jun 2025 - Config to have "ssh too-old-host" error out (with chosen message, and sans actual connection attempt)?

Hello, I applied major updates to the workplace machines, the effect 
being that ssh/scp/sftp now refuse to connect to a couple legacy hosts. 
I'll be pinpointing workarounds to access those, but once these are in 
place, I'd like to change .ssh/config so that when muscle memory does a 
"ssh too-old-host" again, I get output to the effect of "use the
'foo
bar baz' command instead" (and ideally, OpenSSH itself does not even 
*attempt* to connect).

LocalCommand doesn't execute (because ssh never gets post auth), and 
ProxyCommand seems to be unable, too (because its output apparently gets 
swallowed *entirely* by ssh).

Is there an .ssh/config trick to that effect that I don't see?
If not, may I suggest a config option "Refuse [optional message]" as a
new feature?

(I'm *not* asking for a way to "*execute* something entirely different 
*instead* of ssh" because of several reasons - one being that it'd
allow
configs to get silently "backdoored" so as to connect target hosts by 
less-secure-than-policy-says methods.)

Thanks in advance,
-- 
Jochen Bern
Systemingenieur

Binect GmbH
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4336 bytes
Desc: S/MIME Cryptographic Signature
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20250630/8b4c2308/attachment-0001.p7s>

On 30/06/2025 11:41, Jochen Bern wrote:
> I'd like to change .ssh/config so that when muscle memory does a
"ssh
> too-old-host" again, I get output to the effect of "use the
'foo bar
> baz' command instead" (and ideally, OpenSSH itself does not even 
> *attempt* to connect).
> ...
> Is there an .ssh/config trick to that effect that I don't see? 
You could abuse a text config setting, like

Host foobar
Hostname ": You should use ssh -O PubkeyAcceptedAlgorithms=+ssh-rsa"

which gives me:

% ssh foobar
ssh: Could not resolve hostname : You should use ssh -O 
PubkeyAcceptedAlgorithms=+ssh-rsa: nodename nor servname provided, or 
not known

Or BindInterface:

% ssh foobar
getifaddrs: You should use ssh -O PubkeyAcceptedAlgorithms=+ssh-rsa: no 
suitable addresses
getifaddrs: You should use ssh -O PubkeyAcceptedAlgorithms=+ssh-rsa: no 
suitable addresses


Although of course, if that were the problem, you could simply apply the 
fix instead:

Host foobar
PubkeyAcceptedAlgorithms +ssh-rsa

On Mon, 30 Jun 2025 at 20:47, Jochen Bern <Jochen.Bern at binect.de>
wrote:
> [...] I'd like to change .ssh/config so that when muscle memory does a
> "ssh too-old-host" again, I get output to the effect of "use
the 'foo
> bar baz' command instead" (and ideally, OpenSSH itself does not
even
> *attempt* to connect).
> [...]
> ProxyCommand seems to be unable, too (because its output apparently gets
> swallowed *entirely* by ssh).
>
Its stdout does (since that's its purpose), but its stderr doesn't:

$ cat config
ProxyCommand sh -c "echo use foo instead >&2"

$ ssh -F ./config foo bar
use foo instead
Connection closed by UNKNOWN port 65535

-- 
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

On Mon, 30 Jun 2025, Jochen Bern wrote:
> Hello, I applied major updates to the workplace machines, the effect being
> that ssh/scp/sftp now refuse to connect to a couple legacy hosts. I'll
be
> pinpointing workarounds to access those, but once these are in place,
I'd like
> to change .ssh/config so that when muscle memory does a "ssh
too-old-host"
> again, I get output to the effect of "use the 'foo bar baz'
command instead"
> (and ideally, OpenSSH itself does not even *attempt* to connect).
Try this:

RefuseConnection "deprecated: use blah instead"

$ ssh foo
/home/djm/.ssh/config line 1: RefuseConnection: deprecated: use blah instead

(Name chosen for symmetry with the sshd_config RefuseConnnection, though
maybe that doesn't make sense...)

diff --git a/readconf.c b/readconf.c
index 692dc15..39d5c8c 100644
--- a/readconf.c
+++ b/readconf.c
@@ -164,7 +164,7 @@ typedef enum {
 	oPubkeyAcceptedAlgorithms, oCASignatureAlgorithms, oProxyJump,
 	oSecurityKeyProvider, oKnownHostsCommand, oRequiredRSASize,
 	oEnableEscapeCommandline, oObscureKeystrokeTiming, oChannelTimeout,
-	oVersionAddendum,
+	oVersionAddendum, oRefuseConnection,
 	oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported
 } OpCodes;
 
@@ -316,6 +316,7 @@ static struct {
 	{ "obscurekeystroketiming", oObscureKeystrokeTiming },
 	{ "channeltimeout", oChannelTimeout },
 	{ "versionaddendum", oVersionAddendum },
+	{ "refuseconnection", oRefuseConnection },
 
 	{ NULL, oBadOption }
 };
@@ -2486,6 +2487,19 @@ parse_pubkey_algos:
 		argv_consume(&ac);
 		break;
 
+	case oRefuseConnection:
+		arg = argv_next(&ac, &av);
+		if (!arg || *arg == '\0') {
+			error("%.200s line %d: Missing argument.",
+			    filename, linenum);
+			goto out;
+		}
+		if (*activep) {
+			fatal("%.200s line %d: RefuseConnection: %s",
+			    filename, linenum, arg);
+		}
+		break;
+
 	case oDeprecated:
 		debug("%s line %d: Deprecated option \"%s\"",
 		    filename, linenum, keyword);
diff --git a/ssh_config.5 b/ssh_config.5
index 341249f..e8def9c 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -1716,6 +1716,15 @@ disabling or enabling the OpenSSH host-bound
authentication protocol
 extension required for restricted
 .Xr ssh-agent 1
 forwarding.
+.It Cm RefuseConnection
+Allows a connection to be refused by the configuration file.
+If this option is specified, then
+.Xr ssh 1
+will terminate immediately before attempting to connect to the remote
+host, display an error message that contains the argument to this keyword
+and return a non-zero exit status.
+This option may be useful to express reminders or warnings to the user via
+.Nm .
 .It Cm RekeyLimit
 Specifies the maximum amount of data that may be transmitted or received
 before the session key is renegotiated, optionally followed by a maximum