2

I am trying to set up connection to [email protected] via powershell terminal (with config located in .ssh\config) without proxy, however, I want to keep being able to connect to all other pp servers with my admin user and to retain internal.pp.com behind a proxy

My ssh config goes as follows:

Host pp-d1*
        User ubuntu
        Port 22
        IdentityFile ~\.ssh\mykey
        SendEnv LS_*
        SendEnv TERM=screen
        ForwardAgent yes

Host pp-*
        User admin
        Port 22
        IdentityFile ~\.ssh\mykey
        SendEnv LS_*
        SendEnv TERM=screen
        ForwardAgent yes

Host *old-kernel.com *internal.pp.com
        User ubuntu
        Port 22
        IdentityFile ~\.ssh\mykey
        SendEnv LS_*
        SendEnv TERM=screen
        ForwardAgent yes
        ProxyCommand ssh proxy.internal.pp.com nc %h %p 2> /dev/null

The issue is that technically I should get a match on rule 1 but for some reason I get a match on rule 1 and 3 and number 3 prevails and it wants to push me through the proxy.

Below the ssh debug:

PS C:\Users\peter> ssh pp-d1-gritz.pp.internal.com -vvv
OpenSSH_for_Windows_8.1p1, LibreSSL 3.0.2
debug1: Reading configuration data C:\\Users\\peter/.ssh/config
debug1: C:\\Users\\peter/.ssh/config line 3: Applying options for pp-d1*
debug1: C:\\Users\\peter/.ssh/config line 11: Applying options for pp-*
debug2: add_identity_file: ignoring duplicate key C:\\Users\\peter\\.ssh\\mykey
debug1: C:\\Users\\peter/.ssh/config line 19: Applying options for *pp.internal.com
debug2: add_identity_file: ignoring duplicate key C:\\Users\\peter\\.ssh\\mykey
debug3: Failed to open file:C:/ProgramData/ssh/ssh_config error:2
debug1: Executing proxy command: exec ssh proxy.internal.pp.com nc pp-d1-gritz.pp.internal.com 22 2> /dev/null
debug3: spawning "ssh proxy.internal.pp.com nc pp-d1-gritz.pp.internal.com 22 2> /dev/null"
debug3: spawning ssh proxy.internal.pp.com nc pp-d1-gritz.pp.internal.com 22 2> /dev/null
debug3: w32_getpeername ERROR: not sock :2
debug3: Failed to open file:C:/Users/peter/.ssh/mykey.pub error:2
debug1: identity file C:\\Users\\peter\\.ssh\\mykey type -1
debug3: Failed to open file:C:/Users/peter/.ssh/mykey-cert error:2
debug3: Failed to open file:C:/Users/peter/.ssh/mykey-cert.pub error:2
debug1: identity file C:\\Users\\peter\\.ssh\\mykey-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_for_Windows_8.1
Enter one-time-scratch code:

The code is the proxy prompt (which I don't want as rule 1 should be applied). What have I been doing wrong?

cheers, pete

Improve this question

3 Answers 3

Reset to default
1

The behavior is normal; settings from all matching sections are combined, with the first instance of a setting taking priority. (Don't think of Host/Match as separate "sections", in general – think of it as a single large config where some settings are filtered.)

Since first setting wins, one possible solution is to explicitly set it to the default (e.g. "none" in this case):

Host pp-d1*
    # no changes needed

Host pp-*
    ProxyCommand none

Unrelated improvement: I would recommend shortening it to:

Host pp-d1*
    # no changes needed, will be handled by the pp-* setting

Host pp-*
    ProxyJump none

Host *old-kernel.com *internal.pp.com
    ProxyJump proxy.internal.pp.com

Also, since all matching "sections" apply, it means you don't have to repeat SendEnv or Port for everything – you can have globals in a Host * section at the very end.

Host pp-d1*
    User ubuntu

Host pp-*
    User admin
    ProxyJump none

Host proxy.internal.pp.com
    ProxyJump none

Host *old-kernel.com *internal.pp.com
    User ubuntu
    IdentityFile ~\.ssh\mykey
    ForwardAgent yes
    ProxyJump proxy.internal.pp.com
    SendEnv TERM=screen

Host *
    SendEnv LS_*
Improve this answer
2
  • cheers, now I have got it in order and I also put those repeated options into all hosts at the end too
    – Peter
    Commented Jul 28, 2023 at 9:17
  • my issue was I were thinking of it as separate sections -- that was the problem -- you've changed my mindset :D Thank you
    – Peter
    Commented Jul 28, 2023 at 9:18
1

Your Host is pp-d1-gritz.pp.internal.com which matches *internal.pp.com from your third rule. So you might think about why you not want to use the "internal proxy" when you try to connect to an "internal" host.

To fix it you could exclude pp-* from the third rule by extending it to

Host *old-kernel.com !pp-*,*internal.pp.com
Improve this answer
1

For pp-d1-gritz.pp.internal.com both Host pp-d1* ("rule 1") and Host *old-kernel.com *internal.pp.com ("rule 3") match.

man 5 ssh_config states:

Unless noted otherwise, for each parameter, the first obtained value will be used.

In your case the first (and only) value for ProxyCommand comes from the "rule 3". If you want it to come from "rule 1", you need to include ProxyCommand there.

The relevant fragment of the manual [emphasis mine]:

Setting the command to none disables this option entirely.

So you need ProxyCommand none under Host pp-d1*. Then if some host matches both "rule 1" and "rule 3", ProxyCommand none from "rule 1" will be applied.

Alternatively rebuild your rules, so only one Host specification matches pp-d1-gritz.pp.internal.com.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .