ssh_config manpage says:
The command is run synchronously and does not have access to the session of the ssh(1) that spawned it. It should not be used for interactive commands.
Your problem is with the
read statement, it messes up the negotiation process of SSH performed in the tunnel created via
You can configure your client so only the "endpoints" give you the warning, the gateway doesn't, by having an empty entry in your
~/.ssh/config for the gateway, like this:
Host gateway.prod-domain.com gateway
LocalCommand print "WARNING: PROD" && print "continue ?" && read
This way, what you tried to do will work, just be sure not to use the "prod-domain" servers as a jump proxy (except for the gateway, of course). Or, to avoid interactive commands altogether, you could use something like this:
LocalCommand echo -e "\x1b[30;41mWARNING: You are on a PRODUCTIVE system!\x1b0m"
This way, while you can't prevent the session from establishing, you will be given a big red warning.