Config to have "ssh too-old-host" error out (with chosen message, and sans actual connection attempt)?
Damien Miller
djm at mindrot.org
Fri Jul 4 10:48:24 AEST 2025
On Mon, 30 Jun 2025, Jochen Bern wrote:
> Hello, I applied major updates to the workplace machines, the effect being
> that ssh/scp/sftp now refuse to connect to a couple legacy hosts. I'll be
> pinpointing workarounds to access those, but once these are in place, I'd like
> to change .ssh/config so that when muscle memory does a "ssh too-old-host"
> again, I get output to the effect of "use the 'foo bar baz' command instead"
> (and ideally, OpenSSH itself does not even *attempt* to connect).
Try this:
RefuseConnection "deprecated: use blah instead"
$ ssh foo
/home/djm/.ssh/config line 1: RefuseConnection: deprecated: use blah instead
(Name chosen for symmetry with the sshd_config RefuseConnnection, though
maybe that doesn't make sense...)
diff --git a/readconf.c b/readconf.c
index 692dc15..39d5c8c 100644
--- a/readconf.c
+++ b/readconf.c
@@ -164,7 +164,7 @@ typedef enum {
oPubkeyAcceptedAlgorithms, oCASignatureAlgorithms, oProxyJump,
oSecurityKeyProvider, oKnownHostsCommand, oRequiredRSASize,
oEnableEscapeCommandline, oObscureKeystrokeTiming, oChannelTimeout,
- oVersionAddendum,
+ oVersionAddendum, oRefuseConnection,
oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported
} OpCodes;
@@ -316,6 +316,7 @@ static struct {
{ "obscurekeystroketiming", oObscureKeystrokeTiming },
{ "channeltimeout", oChannelTimeout },
{ "versionaddendum", oVersionAddendum },
+ { "refuseconnection", oRefuseConnection },
{ NULL, oBadOption }
};
@@ -2486,6 +2487,19 @@ parse_pubkey_algos:
argv_consume(&ac);
break;
+ case oRefuseConnection:
+ arg = argv_next(&ac, &av);
+ if (!arg || *arg == '\0') {
+ error("%.200s line %d: Missing argument.",
+ filename, linenum);
+ goto out;
+ }
+ if (*activep) {
+ fatal("%.200s line %d: RefuseConnection: %s",
+ filename, linenum, arg);
+ }
+ break;
+
case oDeprecated:
debug("%s line %d: Deprecated option \"%s\"",
filename, linenum, keyword);
diff --git a/ssh_config.5 b/ssh_config.5
index 341249f..e8def9c 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -1716,6 +1716,15 @@ disabling or enabling the OpenSSH host-bound authentication protocol
extension required for restricted
.Xr ssh-agent 1
forwarding.
+.It Cm RefuseConnection
+Allows a connection to be refused by the configuration file.
+If this option is specified, then
+.Xr ssh 1
+will terminate immediately before attempting to connect to the remote
+host, display an error message that contains the argument to this keyword
+and return a non-zero exit status.
+This option may be useful to express reminders or warnings to the user via
+.Nm .
.It Cm RekeyLimit
Specifies the maximum amount of data that may be transmitted or received
before the session key is renegotiated, optionally followed by a maximum
More information about the openssh-unix-dev
mailing list