Index | Thread | Search

From:
Damien Miller <djm@mindrot.org>
Subject:
ssh_config: RefuseConnection
To:
tech@openbsd.org
Cc:
openssh@openssh.com
Date:
Mon, 21 Jul 2025 14:59:50 +1000

Download raw body.

Thread

  • Damien Miller:

    ssh_config: RefuseConnection

Hi,

This adds a ssh_config RefuseConnection option that will terminate the
ssh(1) process if it's ever encountered in an active configuration.

For example:

$ cat > /tmp/c << _EOF
Match host blah
	RefuseConnection "don't use blah, use foo instead"
_EOF
$ ssh -F /tmp/c blah
/tmp/c line 2: RefuseConnection: don't use blah, use foo instead

Ok?

diff --git a/readconf.c b/readconf.c
index 692dc15..39d5c8c 100644
--- a/readconf.c
+++ b/readconf.c
@@ -164,7 +164,7 @@ typedef enum {
 	oPubkeyAcceptedAlgorithms, oCASignatureAlgorithms, oProxyJump,
 	oSecurityKeyProvider, oKnownHostsCommand, oRequiredRSASize,
 	oEnableEscapeCommandline, oObscureKeystrokeTiming, oChannelTimeout,
-	oVersionAddendum,
+	oVersionAddendum, oRefuseConnection,
 	oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported
 } OpCodes;
 
@@ -316,6 +316,7 @@ static struct {
 	{ "obscurekeystroketiming", oObscureKeystrokeTiming },
 	{ "channeltimeout", oChannelTimeout },
 	{ "versionaddendum", oVersionAddendum },
+	{ "refuseconnection", oRefuseConnection },
 
 	{ NULL, oBadOption }
 };
@@ -2486,6 +2487,19 @@ parse_pubkey_algos:
 		argv_consume(&ac);
 		break;
 
+	case oRefuseConnection:
+		arg = argv_next(&ac, &av);
+		if (!arg || *arg == '\0') {
+			error("%.200s line %d: Missing argument.",
+			    filename, linenum);
+			goto out;
+		}
+		if (*activep) {
+			fatal("%.200s line %d: RefuseConnection: %s",
+			    filename, linenum, arg);
+		}
+		break;
+
 	case oDeprecated:
 		debug("%s line %d: Deprecated option \"%s\"",
 		    filename, linenum, keyword);
diff --git a/ssh_config.5 b/ssh_config.5
index 341249f..e8def9c 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -1716,6 +1716,15 @@ disabling or enabling the OpenSSH host-bound authentication protocol
 extension required for restricted
 .Xr ssh-agent 1
 forwarding.
+.It Cm RefuseConnection
+Allows a connection to be refused by the configuration file.
+If this option is specified, then
+.Xr ssh 1
+will terminate immediately before attempting to connect to the remote
+host, display an error message that contains the argument to this keyword
+and return a non-zero exit status.
+This option may be useful to express reminders or warnings to the user via
+.Nm .
 .It Cm RekeyLimit
 Specifies the maximum amount of data that may be transmitted or received
 before the session key is renegotiated, optionally followed by a maximum