Stop SSH Config on First Match – Configuration Tips

ssh

I have a added a local proxy for all my hosts in my .ssh config, however I want to shell into my local vm without the proxy command. Output of my ssh attempt:

debug1: /Users/bbarbour/.ssh/config line 1: Applying options for local.dev
debug1: /Users/bbarbour/.ssh/config line 65: Applying options for *

Given the following ssh config how do I prevent the ProxyCommand from being applied to the local.dev entry?

Host local.dev
    HostName dev.myserver.com
    User developer
...
Host *
    ProxyCommand /usr/local/bin/corkscrew 127.0.0.1 8840 %h %p

Best Answer

You can exclude local.dev from ProxyCommand, using ! before it:

Host * !local.dev
    ProxyCommand /usr/local/bin/corkscrew 127.0.0.1 8840 %h %p

From ssh_config documentation:

If more than one pattern is provided, they should be separated by whitespace.

A pattern entry may be negated by prefixing it with an exclamation mark (`!'). If a negated entry is matched, then the Host entry is ignored, regardless of whether any other patterns on the line match. Negated matches are therefore useful to provide exceptions for wildcard matches.

The documentation also said:

For each parameter, the first obtained value will be used. The configuration files contain sections separated by ``Host'' specifications, and that section is only applied for hosts that match one of the patterns given in the specification. The matched host name is the one given on the command line.

So, you can also disable ProxyCommand for local.dev by override value that you have defined in Host *:

Host local.dev
    HostName dev.myserver.com
    User developer
    ProxyCommand none

Related Solutions

Ssh – Multiple ‘Host *’ in ssh_config

From the ssh_config manual:

Since the first obtained value for each parameter is used, more host-specific declarations should be given near the beginning of the file, and general defaults at the end.

So in your example, all hosts will use User harleypig and IdentityFile ~/.ssh/personal_id_rsa.

Think of Host directives with wildcards as fallbacks: use the following settings only if they haven't been set yet. You need to write something like this:

Host host1
Hostname host1.com
Host host2
Hostname host2.com
Host host*
User harleypig
IdentityFile ~/.ssh/personal_id_rsa

You can put multiple patterns on a Host line if a given set of host aliases can't be matched with wildcards, e.g. Host host* more* outlier.

Ssh – Why does SSH add a known_host entry for an IP address

I think it's to make the CheckHostIP work.

If this flag is set to “yes”, ssh(1) will additionally check the host IP address in the known_hosts file. This allows ssh to detect if a host key changed due to DNS spoofing. If the option is set to “no”, the check will not be executed. The default is “yes”.

You get slightly better diagnostics in case of a misconfiguration or attack with this option, but it doesn't actually improve security in any way that I can think of.

If you turn off CheckHostIP then SSH (as of OpenSSH 6.7p1) does not record the IP address when you connect to a new host by name. So add this to your .ssh/config:

CheckHostIP no

You can add it to a Host section if you only want to turn it off for a specific host (especially one with a dynamic IP address).

Best Answer

Related Solutions

Ssh – Multiple ‘Host *’ in ssh_config

Ssh – Why does SSH add a known_host entry for an IP address

Related Question