Ssh – Only apply Match keyword to single Host in ssh config

opensshsshssh-config

I have a host which I ssh into. Sometimes I'm inside the same network, and can ssh directly into it, other times I'm outside it and I need to use a proxy.

Because ssh via the proxy server is much slower than direct, I'd like to have my ssh config set up such that I try to connect directly, falling back to the proxy if that fails.

Currently the config looks like:

    Host proxy_server
    User user
    Port port
    Hostname some_domain

    Host target_host
    User user
    Port port
    Hostname ip_addr_of_host
    Match exec not_inside_network
    ProxyCommand ssh -W %h:%p proxy_server

The target_host entry is the last entry in my config file, yet not_inside_network gets called by any ssh connection to unrelated servers in the config file. How can I make Match only apply to this one server?

Best Answer

Match is rather on-par with Host. It doesn't exist as a subset of Host the way other options do.

But you can specify multiple criteria on a match, and they appear to operate as a short-circuit AND. So this should be possible and useful for you:

Match host target_host exec not_inside_network
    ProxyCommand ssh -W %h:%p proxy_server

This rule will be checked on every ssh. But for hosts not matching "target_host", the match immediately fails and moves to the next Match or Host keyword (if any). Only if the host is "target_host" will the exec occur. Then the truth of that statement will determine whether or not the ProxyCommand is invoked.

To see the logic occur, run with -vvv. You should see some match checks at debug3.

Related Solutions

Ssh – Multiple ‘Host *’ in ssh_config

From the ssh_config manual:

Since the first obtained value for each parameter is used, more host-specific declarations should be given near the beginning of the file, and general defaults at the end.

So in your example, all hosts will use User harleypig and IdentityFile ~/.ssh/personal_id_rsa.

Think of Host directives with wildcards as fallbacks: use the following settings only if they haven't been set yet. You need to write something like this:

Host host1
Hostname host1.com
Host host2
Hostname host2.com
Host host*
User harleypig
IdentityFile ~/.ssh/personal_id_rsa

You can put multiple patterns on a Host line if a given set of host aliases can't be matched with wildcards, e.g. Host host* more* outlier.

Stop SSH Config on First Match – Configuration Tips

You can exclude local.dev from ProxyCommand, using ! before it:

Host * !local.dev
    ProxyCommand /usr/local/bin/corkscrew 127.0.0.1 8840 %h %p

From ssh_config documentation:

If more than one pattern is provided, they should be separated by whitespace.

A pattern entry may be negated by prefixing it with an exclamation mark (`!'). If a negated entry is matched, then the Host entry is ignored, regardless of whether any other patterns on the line match. Negated matches are therefore useful to provide exceptions for wildcard matches.

The documentation also said:

For each parameter, the first obtained value will be used. The configuration files contain sections separated by ``Host'' specifications, and that section is only applied for hosts that match one of the patterns given in the specification. The matched host name is the one given on the command line.

So, you can also disable ProxyCommand for local.dev by override value that you have defined in Host *:

Host local.dev
    HostName dev.myserver.com
    User developer
    ProxyCommand none

Best Answer

Related Solutions

Ssh – Multiple ‘Host *’ in ssh_config

Stop SSH Config on First Match – Configuration Tips

Related Question