Re: Connect direct and fallback

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Fri, 18 Feb 2022 14:13:15 +0200
Lars Noodén <lars.nooden@xxxxxxx> wrote:

[SNIP]
> Use of Match Exec in
> ssh_config(5) seems to be the way that is approached:
> 
>   Match host ipv6only.example.org
>          User fred
> 
>   Match host ipv6only.example.org !exec "route -n get -inet6 %h"
>          ProxyJump dualstack.example.org
> 
> That would allow you to connect directly to the one system if there is
> IPv6 connectivity and hop through a bastion / jump host first if only
> IPv4 connectivity is possible.  The match blocks can be made more
> general with patterns, of course.
> 
> Exec could use route(8), ping(8), nc(1), or a custom script.

Okay, that is super cool. I took a look at that wiki page and learned
some things.

> https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Proxies_and_Jump_Hosts#Conditional_Use_of_Jump_Hosts

This reminds me of a related thing I've been wondering about.

For the second case mentioned in that wiki page, which depends on
whether you're connected to a given LAN or not, wouldn't it be nice to
have a convenient and hard-to-spoof way to check that, rather than
blindly trust hostnames?

I keep thinking that seems like something ssh could do very well, but
so far I haven't figured out how to approach it. Can I instruct ssh to
(for example) initiate a connection with 192.168.1.1, authenticate the
remote host's identity against a custom known_hosts file, hang up
without trying to log in or anything, and return a simple yes/no — or
better, on success return the line number of the matching known_hosts
entry?

Any suggestions?

Cheers!
 -Chris
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux