SSH Config – Add Host Section Matching IPs When Using Hostname

dnshostnameipopensshssh

I want a host section in my ssh config that matches any local IP:

Host 10.* 192.168.*.* 172.31.* 172.30.* 172.2?.* 172.1?.*
  setting
  setting
  ...

This works as long as I connect directly to a relevant IP. If I however connect to a hostname that later resolves to one of these IPs, the section is ignored.

sshd has Match Address sections which I think can be used for this, but they won't work in ssh client configs.

Is there any way to achieve this?

Best Answer

You can't do that using only ssh_config options, but there is exec option, which can do that for you:

Match exec "getent hosts %h | grep -qE '^(192\.168|10\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.)'"
   setting

Related Solutions

Ssh – Multiple ‘Host *’ in ssh_config

From the ssh_config manual:

Since the first obtained value for each parameter is used, more host-specific declarations should be given near the beginning of the file, and general defaults at the end.

So in your example, all hosts will use User harleypig and IdentityFile ~/.ssh/personal_id_rsa.

Think of Host directives with wildcards as fallbacks: use the following settings only if they haven't been set yet. You need to write something like this:

Host host1
Hostname host1.com
Host host2
Hostname host2.com
Host host*
User harleypig
IdentityFile ~/.ssh/personal_id_rsa

You can put multiple patterns on a Host line if a given set of host aliases can't be matched with wildcards, e.g. Host host* more* outlier.

Ssh – Only apply Match keyword to single Host in ssh config

Match is rather on-par with Host. It doesn't exist as a subset of Host the way other options do.

But you can specify multiple criteria on a match, and they appear to operate as a short-circuit AND. So this should be possible and useful for you:

Match host target_host exec not_inside_network
    ProxyCommand ssh -W %h:%p proxy_server

This rule will be checked on every ssh. But for hosts not matching "target_host", the match immediately fails and moves to the next Match or Host keyword (if any). Only if the host is "target_host" will the exec occur. Then the truth of that statement will determine whether or not the ProxyCommand is invoked.

To see the logic occur, run with -vvv. You should see some match checks at debug3.

Best Answer

Related Solutions

Ssh – Multiple ‘Host *’ in ssh_config

Ssh – Only apply Match keyword to single Host in ssh config

Related Question