8

I have a host which I ssh into. Sometimes I'm inside the same network, and can ssh directly into it, other times I'm outside it and I need to use a proxy.

Because ssh via the proxy server is much slower than direct, I'd like to have my ssh config set up such that I try to connect directly, falling back to the proxy if that fails.

Currently the config looks like:

    Host proxy_server
    User user
    Port port
    Hostname some_domain

    Host target_host
    User user
    Port port
    Hostname ip_addr_of_host
    Match exec not_inside_network
    ProxyCommand ssh -W %h:%p proxy_server

The target_host entry is the last entry in my config file, yet not_inside_network gets called by any ssh connection to unrelated servers in the config file. How can I make Match only apply to this one server?

James Tocknell
  • 484
  • 1
  • 4
  • 13
  • 1
    until someone more familiar with `ssh.config`, I wondered if you checked out the example [here](http://blog.endpoint.com/2011/01/ssh-config-wildcards-and-multiple.html). It might be helpful to attempt the model the author uses for multiple hosts (i.e. one exact and one wildcard in your case). – Simply_Me Aug 13 '14 at 04:08
  • It doesn't consider checking if the host is accessible or not, which is the unusual thing here. – James Tocknell Aug 13 '14 at 06:17
  • have you tired putting wild card first and then exact? – Simply_Me Aug 13 '14 at 06:22

1 Answers1

13

Match is rather on-par with Host. It doesn't exist as a subset of Host the way other options do.

But you can specify multiple criteria on a match, and they appear to operate as a short-circuit AND. So this should be possible and useful for you:

Match host target_host exec not_inside_network
    ProxyCommand ssh -W %h:%p proxy_server

This rule will be checked on every ssh. But for hosts not matching "target_host", the match immediately fails and moves to the next Match or Host keyword (if any). Only if the host is "target_host" will the exec occur. Then the truth of that statement will determine whether or not the ProxyCommand is invoked.

To see the logic occur, run with -vvv. You should see some match checks at debug3.

BowlOfRed
  • 3,628
  • 13
  • 18
  • I had tried something like this, but couldn't work out how to check that it actually was doing what I expected (it appears -vvv is the answer). Do you know if the short-circuit AND is a documented action (it's not in the man page, I've gone through it a few times) or a implementation detail? – James Tocknell Aug 13 '14 at 23:27
  • I think I found it in the notes from the check-in. Let me see if I can find that again – BowlOfRed Aug 14 '14 at 00:01
  • This may be an implementation detail, but it is mentioned explicitly in the source code. From servconf.c: " /* * All of the attributes on a single Match line are ANDed together, so we need * to check every attribute and set the result to zero if any attribute does * not match. */" Unfortunately, that doesn't mention that it short-circuits... – BowlOfRed Aug 14 '14 at 00:12