When I\'m on a certain network (subnet is 10.10.11.x) I need to jump through an intermediate host to reach my destination because of destination port I can\'t change and limited
Instead of checking the subnet CIDR, you can check what domain suffix DHCP has given you.
If you're trying to use a jump box when outside the intranet, this approach is more robust than checking for IP ranges in the reserved private allocation (e.g. your home network or remote-work location uses the same block as example.com
's intranet).
This approach is not useful if your intranet uses the same DNS suffix everywhere and you're trying to traverse subnets within the intranet. If that's your situation, use Jakuje's solution.
Match Host web Exec "hostname -d | ! grep -q -E '^example\.com'"
ForwardAgent yes
ProxyCommand ssh -p 110 -q relay.example.com nc %h %p
Host web
HostName web.example.com
Port 1111
If you don't have a recent version of hostname
that has the -d
option (e.g. you're on MacOS), you can just query resolve.conf
directly:
Match Host web Exec "! grep -q -E '^\s*search[ \t]+example\.com' /etc/resolv.conf"
...
...
My solution to this problem is the following:
Host myserver
HostName [internal IP]
...
Match Host [internal IP] !Exec "nc -w1 -q0 %h %p < /dev/null"
ProxyCommand ssh jumphost -W %h:%p
It's important to have the Host myserver
lines first, so the SSH client will know the IP address.
In the Match
expression,
Host
option matches on that IP. (It accepts *
, so you can match to /8, /16 or /24 subnets too.)Exec
option executes a netcat
with a 1 second timeout to test if the SSH port is open. If not, the ProxyCommand
is used.This is the clearest way I found to actually test if you need a jumphost or not. If your network is lagging, you can set higher timeouts, of course. See man ssh_config for more details.
Based on the answer by Fedor Dikarev, Mike created a bash script named onsubnet
:
#!/usr/bin/env bash
if [[ "$1" == "--help" ]] || [[ "$1" == "-h" ]] || [[ "$1" == "" ]] ; then
printf "Usage:\n\tonsubnet [ --not ] partial-ip-address\n\n"
printf "Example:\n\tonsubnet 10.10.\n\tonsubnet --not 192.168.0.\n\n"
printf "Note:\n\tThe partial-ip-address must match starting at the first\n"
printf "\tcharacter of the ip-address, therefore the first example\n"
printf "\tabove will match 10.10.10.1 but not 110.10.10.1\n"
exit 0
fi
on=0
off=1
if [[ "$1" == "--not" ]] ; then
shift
on=1
off=0
fi
regexp="^$(sed 's/\./\\./g' <<<"$1")"
if [[ "$(uname)" == "Darwin" ]] ; then
ifconfig | fgrep 'inet ' | fgrep -v 127.0.0. | cut -d ' ' -f 2 | egrep -q "$regexp"
else
hostname -I | tr -s " " "\012" | fgrep -v 127.0.0. | egrep -q "$regexp"
fi
if [[ $? == 0 ]]; then
exit $on
else
exit $off
fi
Then in his .ssh/config
file, he uses Match exec
like Jakuje's answer:
Match exec "onsubnet 10.10.1." host my-server
HostName web.example.com
Port 1111
ForwardAgent yes
ProxyCommand ssh -p 110 -q relay.example.com nc %h %p
Match exec "onsubnet --not 10.10.1." host my-server
HostName web.example.com
Port 1111
I'm using the following function for that:
function ssh() {
network=`networksetup -getairportnetwork en0 | cut -d: -f2 | tr -d [:space:]`
if [ -n "$network" -a -f $HOME/.ssh/config.$network ]; then
/usr/bin/ssh -F $HOME/.ssh/config.$network "$@"
else
/usr/bin/ssh "$@"
fi
}
export -f ssh
So I need a separate configuration file for each WiFi network where I want a custom solution. It works for me right now, but it's ugly. I can recommend it only as an idea, not as the best solution.
I'd be glad to know any better solution.
You can use Match's exec
option to execute shell commands, so you can write something like this:
Match host web exec "hostname -I | grep -qF 10.10.11."
ForwardAgent yes
ProxyCommand ssh -p 110 -q relay.example.com nc %h %p
Host web
HostName web.example.com
Port 1111
The Match
option boolean logic can short-circuit, so put host
first to skip the exec
term for other hosts. Try ssh web -vvv
to see the Match
logic in action.