Skip to main content

SSH Jump and local command [Resolved]

I added this in my ~/.ssh/config to help avoid stupid mistakes:

Host *.prod-domain.com
    LocalCommand print "WARNING: PROD" && print "continue ?" && read
    PermitLocalCommand yes

Which makes ssh print a warning and a prompt when I try to connect to a host under prod-domain.com.

Now, most hosts do not expose ssh publically, so we have to go through a gateway. I used to do

ssh -J gateway.prod-domain.com target.prod-domain.com

But with the local command enabled, ssh fails with:

Bad packet length 1231976033.
ssh_dispatch_run_fatal: Connection to UNKNOWN port 65535: message authentication code incorrect

Connecting directly (e.g. ssh gateway.prod-domain.com) still works fine, and connecting with a jump works if I comment the local command.

Are local commands and ssh jumps incompatible ? Is it documented somewhere, and is there a way to make it work (like disabling the local command when "jumping"), or did I maybe hit a bug ?


Question Credit: Antoine
Question Reference
Asked July 13, 2019
Tags: ssh
Posted Under: Network
19 views
1 Answers

As the ssh_config manpage says:

The command is run synchronously and does not have access to the session of the ssh(1) that spawned it. It should not be used for interactive commands.

Your problem is with the read statement, it messes up the negotiation process of SSH performed in the tunnel created via gateway.prod-domain.com.

You can configure your client so only the "endpoints" give you the warning, the gateway doesn't, by having an empty entry in your ~/.ssh/config for the gateway, like this:

Host gateway.prod-domain.com gateway
    HostName gateway.prod-domain.com

Host *.prod-domain.com
    ProxyJump gateway
    LocalCommand print "WARNING: PROD" && print "continue ?" && read
    PermitLocalCommand yes

This way, what you tried to do will work, just be sure not to use the "prod-domain" servers as a jump proxy (except for the gateway, of course). Or, to avoid interactive commands altogether, you could use something like this:

Host *.prod-domain.com
    LocalCommand echo -e "\x1b[30;41mWARNING: You are on a PRODUCTIVE system!\x1b0m"
    PermitLocalCommand yes

This way, while you can't prevent the session from establishing, you will be given a big red warning.


credit: Lacek
Answered July 13, 2019
Your Answer
D:\Adnan\Candoerz\CandoProject\vQA