From: Damien Miller Subject: ssh_config: RefuseConnection To: tech@openbsd.org Cc: openssh@openssh.com Date: Mon, 21 Jul 2025 14:59:50 +1000 Hi, This adds a ssh_config RefuseConnection option that will terminate the ssh(1) process if it's ever encountered in an active configuration. For example: $ cat > /tmp/c << _EOF Match host blah RefuseConnection "don't use blah, use foo instead" _EOF $ ssh -F /tmp/c blah /tmp/c line 2: RefuseConnection: don't use blah, use foo instead Ok? diff --git a/readconf.c b/readconf.c index 692dc15..39d5c8c 100644 --- a/readconf.c +++ b/readconf.c @@ -164,7 +164,7 @@ typedef enum { oPubkeyAcceptedAlgorithms, oCASignatureAlgorithms, oProxyJump, oSecurityKeyProvider, oKnownHostsCommand, oRequiredRSASize, oEnableEscapeCommandline, oObscureKeystrokeTiming, oChannelTimeout, - oVersionAddendum, + oVersionAddendum, oRefuseConnection, oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported } OpCodes; @@ -316,6 +316,7 @@ static struct { { "obscurekeystroketiming", oObscureKeystrokeTiming }, { "channeltimeout", oChannelTimeout }, { "versionaddendum", oVersionAddendum }, + { "refuseconnection", oRefuseConnection }, { NULL, oBadOption } }; @@ -2486,6 +2487,19 @@ parse_pubkey_algos: argv_consume(&ac); break; + case oRefuseConnection: + arg = argv_next(&ac, &av); + if (!arg || *arg == '\0') { + error("%.200s line %d: Missing argument.", + filename, linenum); + goto out; + } + if (*activep) { + fatal("%.200s line %d: RefuseConnection: %s", + filename, linenum, arg); + } + break; + case oDeprecated: debug("%s line %d: Deprecated option \"%s\"", filename, linenum, keyword); diff --git a/ssh_config.5 b/ssh_config.5 index 341249f..e8def9c 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -1716,6 +1716,15 @@ disabling or enabling the OpenSSH host-bound authentication protocol extension required for restricted .Xr ssh-agent 1 forwarding. +.It Cm RefuseConnection +Allows a connection to be refused by the configuration file. +If this option is specified, then +.Xr ssh 1 +will terminate immediately before attempting to connect to the remote +host, display an error message that contains the argument to this keyword +and return a non-zero exit status. +This option may be useful to express reminders or warnings to the user via +.Nm . .It Cm RekeyLimit Specifies the maximum amount of data that may be transmitted or received before the session key is renegotiated, optionally followed by a maximum