On Fri, 18 Feb 2022 14:13:15 +0200 Lars Noodén <lars.nooden@xxxxxxx> wrote: [SNIP] > Use of Match Exec in > ssh_config(5) seems to be the way that is approached: > > Match host ipv6only.example.org > User fred > > Match host ipv6only.example.org !exec "route -n get -inet6 %h" > ProxyJump dualstack.example.org > > That would allow you to connect directly to the one system if there is > IPv6 connectivity and hop through a bastion / jump host first if only > IPv4 connectivity is possible. The match blocks can be made more > general with patterns, of course. > > Exec could use route(8), ping(8), nc(1), or a custom script. Okay, that is super cool. I took a look at that wiki page and learned some things. > https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Proxies_and_Jump_Hosts#Conditional_Use_of_Jump_Hosts This reminds me of a related thing I've been wondering about. For the second case mentioned in that wiki page, which depends on whether you're connected to a given LAN or not, wouldn't it be nice to have a convenient and hard-to-spoof way to check that, rather than blindly trust hostnames? I keep thinking that seems like something ssh could do very well, but so far I haven't figured out how to approach it. Can I instruct ssh to (for example) initiate a connection with 192.168.1.1, authenticate the remote host's identity against a custom known_hosts file, hang up without trying to log in or anything, and return a simple yes/no — or better, on success return the line number of the matching known_hosts entry? Any suggestions? Cheers! -Chris _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
