Config to have "ssh too-old-host" error out (with chosen message, and sans actual connection attempt)?
Jochen Bern
Jochen.Bern at binect.de
Mon Jun 30 20:41:14 AEST 2025
Hello, I applied major updates to the workplace machines, the effect
being that ssh/scp/sftp now refuse to connect to a couple legacy hosts.
I'll be pinpointing workarounds to access those, but once these are in
place, I'd like to change .ssh/config so that when muscle memory does a
"ssh too-old-host" again, I get output to the effect of "use the 'foo
bar baz' command instead" (and ideally, OpenSSH itself does not even
*attempt* to connect).
LocalCommand doesn't execute (because ssh never gets post auth), and
ProxyCommand seems to be unable, too (because its output apparently gets
swallowed *entirely* by ssh).
Is there an .ssh/config trick to that effect that I don't see?
If not, may I suggest a config option "Refuse [optional message]" as a
new feature?
(I'm *not* asking for a way to "*execute* something entirely different
*instead* of ssh" because of several reasons - one being that it'd allow
configs to get silently "backdoored" so as to connect target hosts by
less-secure-than-policy-says methods.)
Thanks in advance,
--
Jochen Bern
Systemingenieur
Binect GmbH
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4336 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20250630/8b4c2308/attachment-0001.p7s>
More information about the openssh-unix-dev
mailing list