I added this in my ~/.ssh/config to help avoid stupid mistakes:
Host *.prod-domain.com
LocalCommand print "WARNING: PROD" && print "continue ?" && read
PermitLocalCommand yes
Which makes ssh print a warning and a prompt when I try to connect to a host under prod-domain.com.
Now, most hosts do not expose ssh publically, so we have to go through a gateway. I used to do
ssh -J gateway.prod-domain.com target.prod-domain.com
But with the local command enabled, ssh fails with:
Bad packet length 1231976033.
ssh_dispatch_run_fatal: Connection to UNKNOWN port 65535: message authentication code incorrect
Connecting directly (e.g. ssh gateway.prod-domain.com) still works fine, and connecting with a jump works if I comment the local command.
Are local commands and ssh jumps incompatible ? Is it documented somewhere, and is there a way to make it work (like disabling the local command when "jumping"), or did I maybe hit a bug ?
As the
ssh_configmanpage says:Your problem is with the
readstatement, it messes up the negotiation process of SSH performed in the tunnel created viagateway.prod-domain.com.You can configure your client so only the "endpoints" give you the warning, the gateway doesn't, by having an empty entry in your
~/.ssh/configfor the gateway, like this:This way, what you tried to do will work, just be sure not to use the "prod-domain" servers as a jump proxy (except for the gateway, of course). Or, to avoid interactive commands altogether, you could use something like this:
This way, while you can't prevent the session from establishing, you will be given a big red warning.