Connect direct and fallback

Chris Mitchell ssh-list at chris.oldnest.ca
Thu Mar 17 22:57:37 AEDT 2022


On Fri, 18 Feb 2022 14:13:15 +0200
Lars Noodén <lars.nooden at gmx.com> wrote:

[SNIP]
> Use of Match Exec in
> ssh_config(5) seems to be the way that is approached:
> 
>   Match host ipv6only.example.org
>          User fred
> 
>   Match host ipv6only.example.org !exec "route -n get -inet6 %h"
>          ProxyJump dualstack.example.org
> 
> That would allow you to connect directly to the one system if there is
> IPv6 connectivity and hop through a bastion / jump host first if only
> IPv4 connectivity is possible.  The match blocks can be made more
> general with patterns, of course.
> 
> Exec could use route(8), ping(8), nc(1), or a custom script.

Okay, that is super cool. I took a look at that wiki page and learned
some things.

> https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Proxies_and_Jump_Hosts#Conditional_Use_of_Jump_Hosts

This reminds me of a related thing I've been wondering about.

For the second case mentioned in that wiki page, which depends on
whether you're connected to a given LAN or not, wouldn't it be nice to
have a convenient and hard-to-spoof way to check that, rather than
blindly trust hostnames?

I keep thinking that seems like something ssh could do very well, but
so far I haven't figured out how to approach it. Can I instruct ssh to
(for example) initiate a connection with 192.168.1.1, authenticate the
remote host's identity against a custom known_hosts file, hang up
without trying to log in or anything, and return a simple yes/no — or
better, on success return the line number of the matching known_hosts
entry?

Any suggestions?

Cheers!
 -Chris


More information about the openssh-unix-dev mailing list