Config to have "ssh too-old-host" error out (with chosen message, and sans actual connection attempt)?

Jochen Bern Jochen.Bern at binect.de
Mon Jun 30 20:41:14 AEST 2025


Hello, I applied major updates to the workplace machines, the effect 
being that ssh/scp/sftp now refuse to connect to a couple legacy hosts. 
I'll be pinpointing workarounds to access those, but once these are in 
place, I'd like to change .ssh/config so that when muscle memory does a 
"ssh too-old-host" again, I get output to the effect of "use the 'foo 
bar baz' command instead" (and ideally, OpenSSH itself does not even 
*attempt* to connect).

LocalCommand doesn't execute (because ssh never gets post auth), and 
ProxyCommand seems to be unable, too (because its output apparently gets 
swallowed *entirely* by ssh).

Is there an .ssh/config trick to that effect that I don't see?
If not, may I suggest a config option "Refuse [optional message]" as a 
new feature?

(I'm *not* asking for a way to "*execute* something entirely different 
*instead* of ssh" because of several reasons - one being that it'd allow 
configs to get silently "backdoored" so as to connect target hosts by 
less-secure-than-policy-says methods.)

Thanks in advance,
-- 
Jochen Bern
Systemingenieur

Binect GmbH
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4336 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20250630/8b4c2308/attachment-0001.p7s>


More information about the openssh-unix-dev mailing list