Compounding global and individual settings in ssh-config files?

Jochen Bern Jochen.Bern at binect.de
Fri Mar 29 07:16:56 AEDT 2024 

Hello everyone,

my workplace has gotten the idea of centrally maintaining a file in 
ssh_config syntax so that employees do not need to discover every new 
machine and configure it on their own. Since it's a case of "let's get 
started now, and properly think it through later", right now, a typical 
entry might look like

> Host    [product]-[Customer]
>         Hostname        [privateIP]
>         user            [primaryAccount]
>         ProxyCommand nc -x 127.0.0.1:2124 -X 5 %h %p

(with the parts in [] varying from one machine to the next) - and if you 
know how disparate the options of "nc"/netcat can look from one distrib 
to the next, you'll immediately know why this suggestion has me 
concerned. :-}

I suppose that *this* particular instance of the problem can be mostly 
fixed, either by switching to "ProxyJump" (referring to a config entry 
that every user maintains himself) or with a wrapper script¹, but it has 
me wondering: Are there plans, or even better already-implemented 
mechanisms, that would allow entries in (global) config files to 
"inherit"² single config lines preset in another (individual) config file?

¹ Note that as of now, the names do *not* include which platform the 
machine is running on, but the proper proxying depends on that. So, no 
using "Host" blocks with patterns unless I can get everyone to using 
*my* host-naming style. :-/

² Please take the term with a planetoid of salt. I do not have a 
preference whether it should be, or act like, "inheritance" like in 
Nagios object configs, "includes", "variables", "templates", or 
whatever. :-3

³ Yes, I suppose that providing just the main data - name, IP, user, 
port (if nonstandard) and which proxy to use - from a central source and 
individually turning that into an ssh_config with some preprocessor 
could also prove a powerful solution here ...

Thanks in advance,
-- 
Jochen Bern
Systemingenieur

Binect GmbH
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3449 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20240328/48e91274/attachment.p7s>

More information about the openssh-unix-dev mailing list