Ssh config file with multiple ssh versions

openssh

I really like the "Match" keyword that was added to OpenSSH around version 6.5, and I make heavy use of it in my .ssh/config file.

But that config file is in my NFS-ed home, and so is referenced when I log in to any of several computers in our LAN.

And many of these computers still have ssh versions older than 6.5.

So if I am at one of these computers, and try to ssh (or scp/rsync), I get a complaint that Match is a 'Bad configuration option', and ssh terminates.

I'd much rather ssh proceed without the customizations in my config file, than not work at all. But I can't seem to find any way to write the config file so that newer versions can make use of newer options, but older version work without them. If anyone has any bright ideas, please share.

I have managed to work out that I can do "ssh -F /dev/null" with older versions. I just find it irksome that that is necessary. Would prefer an "automatic" solution.

Best Answer

Unfortunately, it is not possible. Some applications, where newer versions have introduced new optional syntaxes, have resorted to having "conditional compilation" comments, a notable example is MySQL.

But thankfully OpenSSH is not at that stage yet.

Possible solution: If your entire home directory is mounted in different operating systems, you can add a script to your .profile that checks the version of SSH and if it is not sufficient to load your configuration file, aliases ssh to ssh -F /dev/null. For example:

if [ "$(bc -l <<<"$(ssh -V 2> >(sed 's,^[^0-9]*,,;s,[^\.0-9].*,,')) < 6.5")" == 1 ]
then
    alias ssh="/usr/bin/ssh -F/dev/null"
fi

Alternatively, as per @derobert comment, an alias may not be enough for some use cases, such as using rsync or other applications that use OpenSSH as a transport and call the ssh program directly (without letting the shell resolve the alias). If this is indeed also an issue, you might want to create a script called ssh in your local bin directory (usually ~/bin or ~/.local/bin). When an application resolves the path to the ssh binary, it should see your local bin directory early in the path and run your script, which will then perform the required logic.

Maybe something like this:

#!/bin/bash
if [ "$(bc -l <<<"$(ssh -V 2> >(sed 's,^[^0-9]*,,;s,[^\.0-9].*,,')) < 6.5")" == 1 ]
then
    /usr/bin/ssh -F/dev/null "$@"
else
    /usr/bin/ssh "$@"
fi

Related Solutions

SSH Config – Add Host Section Matching IPs When Using Hostname

You can't do that using only ssh_config options, but there is exec option, which can do that for you:

Match exec "getent hosts %h | grep -qE '^(192\.168|10\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.)'"
   setting

Ssh – Does Gnome Keyring support new-format OpenSSH private keys

Things have changed slightly now. As a result GNOME 3.28 now wraps OpenSSH's ssh-agent, which gives it the same level of support as OpenSSH.

Reference - Archlinux wiki - GNOME/Keyring

Known issues

Cannot handle ECDSA and Ed25519 keys

As of January 2018, GNOME Keyring doesn't handle ECDSA nor Ed25519 keys. You can turn to other SSH agents if you need support for those.

Note: As of GNOME 3.28, gnome-keyring replaced its SSH agent implementation with a wrapper around the ssh-agent tool that comes with openssh. As a result, any type of key supported by the upstream ssh-agent is now also supported by gnome-keyring, including ECDSA and Ed25519 keys.

If you still find that you're behind this particular version this Gist shows how you can use keychain to workaround this issue, titled: SSH with ed25519 (curve25519) + GNOME-KeyRing.

References

new openssh key format and bcrypt pbkdf

Best Answer

Related Solutions

SSH Config – Add Host Section Matching IPs When Using Hostname

Ssh – Does Gnome Keyring support new-format OpenSSH private keys

Known issues

Cannot handle ECDSA and Ed25519 keys

References

Related Question