Config to have "ssh too-old-host" error out (with chosen message, and sans actual connection attempt)?

[Damien Miller]

On Mon, 30 Jun 2025, Jochen Bern wrote:

> Hello, I applied major updates to the workplace machines, the effect being
> that ssh/scp/sftp now refuse to connect to a couple legacy hosts. I'll be
> pinpointing workarounds to access those, but once these are in place, I'd like
> to change .ssh/config so that when muscle memory does a "ssh too-old-host"
> again, I get output to the effect of "use the 'foo bar baz' command instead"
> (and ideally, OpenSSH itself does not even *attempt* to connect).

Try this:

RefuseConnection "deprecated: use blah instead"

$ ssh foo
/home/djm/.ssh/config line 1: RefuseConnection: deprecated: use blah instead

(Name chosen for symmetry with the sshd_config RefuseConnnection, though
maybe that doesn't make sense...)

diff --git a/readconf.c b/readconf.c
index 692dc15..39d5c8c 100644
--- a/readconf.c
+++ b/readconf.c
@@ -164,7 +164,7 @@ typedef enum {
 	oPubkeyAcceptedAlgorithms, oCASignatureAlgorithms, oProxyJump,
 	oSecurityKeyProvider, oKnownHostsCommand, oRequiredRSASize,
 	oEnableEscapeCommandline, oObscureKeystrokeTiming, oChannelTimeout,
-	oVersionAddendum,
+	oVersionAddendum, oRefuseConnection,
 	oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported
 } OpCodes;
 
@@ -316,6 +316,7 @@ static struct {
 	{ "obscurekeystroketiming", oObscureKeystrokeTiming },
 	{ "channeltimeout", oChannelTimeout },
 	{ "versionaddendum", oVersionAddendum },
+	{ "refuseconnection", oRefuseConnection },
 
 	{ NULL, oBadOption }
 };
@@ -2486,6 +2487,19 @@ parse_pubkey_algos:
 		argv_consume(&ac);
 		break;
 
+	case oRefuseConnection:
+		arg = argv_next(&ac, &av);
+		if (!arg || *arg == '\0') {
+			error("%.200s line %d: Missing argument.",
+			    filename, linenum);
+			goto out;
+		}
+		if (*activep) {
+			fatal("%.200s line %d: RefuseConnection: %s",
+			    filename, linenum, arg);
+		}
+		break;
+
 	case oDeprecated:
 		debug("%s line %d: Deprecated option \"%s\"",
 		    filename, linenum, keyword);
diff --git a/ssh_config.5 b/ssh_config.5
index 341249f..e8def9c 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -1716,6 +1716,15 @@ disabling or enabling the OpenSSH host-bound authentication protocol
 extension required for restricted
 .Xr ssh-agent 1
 forwarding.
+.It Cm RefuseConnection
+Allows a connection to be refused by the configuration file.
+If this option is specified, then
+.Xr ssh 1
+will terminate immediately before attempting to connect to the remote
+host, display an error message that contains the argument to this keyword
+and return a non-zero exit status.
+This option may be useful to express reminders or warnings to the user via
+.Nm .
 .It Cm RekeyLimit
 Specifies the maximum amount of data that may be transmitted or received
 before the session key is renegotiated, optionally followed by a maximum