Network-dependent ~/.ssh/config?

In the office, I can connect to internal machines without a proxy, but need a proxy for external connections. Outside of the office, I can connect to other external machines without a proxy, but need to use one of 2 proxies to connect to internal machines.

If I can figure out a way to autodetect what network I'm on, can I instruct ssh to load the appropriate config file?

If not, is there a more elegant solution than writing a shell script to symlink the appropriate config file to ~/.ssh/config (my best idea so far)?

Edit: I think @pcm and JonnyRo understood my question and I'll try what they suggest, but just to be clear, I want

|--------\    Dest   | abc.example.com | xyz.external.org |
| Source  \---------\|                 |                  |
|--------------------+-----------------+------------------|
| example.com office | No Proxy        | Proxy            |
| outside            | Proxy           | No Proxy         |

Nate Parsons

Posted 2012-04-24T23:08:13.773

Reputation: 1 425

Answers

Depending on how your proxy is configured, you can simply build an SSH config entry that works in either situation. For example on one network I regularly use I have to ssh to an intermediate host before I can make an outbound connection. So basically I setup a configuration that looks like this.

# proxy ssh 
Host *%sshproxy
    ProxyCommand ssh user@proxyhost.example.org /bin/netcat -w 1 $(echo %h | cut -d%% -f1) 22

Host myhost.example.org
    HostName 172.16.24.1

Host otherhost.example.com
    HostName 192.168.57.12

So when I don't need to use a proxy, I can simply run a command like ssh myhost.example.org and get connected, but when I do need the proxy, I run the command ssh myhost.example.org%sshproxy.

I suspect you could probably setup some kind of alias or auto-complete setting that would automatically append the %proxy bit.

Zoredache

Posted 2012-04-24T23:08:13.773

Reputation: 18 453

Old question, but some ideas in this thread helped me and this is a solution I came up with:

First, the proxy server ssh configuration.

Match Originalhost proxy Exec "ifconfig | grep 10.0.1"
     Hostname 10.0.1.2
Host proxy 
     Hostname external.hostname.com

Then, the Server B configuration:

Match Originalhost server-b Exec "ifconfig | grep 10.0.1"
     ProxyCommand none
Host server-b
     Hostname 10.0.1.3
     ProxyCommand ssh -W %h:%p server-a

The idea here is that the default case is connecting from an external site and the ProxyCommand initiates an ssh connection to proxy first and then connect to server-b. If, on the other hand, we are located on the local subnet already, the ProxyCommand is disabled and no proxy connection to server-a is made.

Regardless of where you are, you can always reach server-abc by this entry and this setup figures out where you are and sets up the connection accordingly. For server-xyz, just use the same idea.

I made a more thorough explanation here: http://blog.kihltech.com/2017/04/ssh-conditional-host-address-based-on-network-or-location/

Robert Kihlberg

Posted 2012-04-24T23:08:13.773

Reputation: 91

You can use the -F option to select from different config files. for the two network cases. You can then either create aliases that use the different config files, based on which net you are on, or in your login script setup a single alias, based on your IP address.

pcm

Posted 2012-04-24T23:08:13.773

Reputation: 271

Thanks! Aliases with -F will definitely be my fallback if I can't get a script working based on IP. – Nate Parsons – 2012-04-25T06:29:46.153

This is awesome, I was just about to ask the same question. I already script some other options to set environment variables when I start a new terminal, I can easily create an alias or symlink the proper .ssh/config based on the environment. – newz2000 – 2013-05-23T18:12:39.313

Write a shell script that checks your IP against a pattern, then symlinks the appropriate shell script.

If for some reason your IP range is the same for home and work, try switching based on /etc/resolv.conf, which contains the DHCP configured DNS servers.

JonnyRo

Posted 2012-04-24T23:08:13.773

Reputation: 141

The "Host" option in .ssh/config lets you change the configuration based on the destination. I use that to adjust port forwarding and such based on where I'm going.

JOTN

Posted 2012-04-24T23:08:13.773

Reputation: 531

I have looked into this question in the past and one possible solution is to have such entry in the config file:

Host ENTRY_POINT
Hostname ENTRY_POINT_FQDN
User USERNAME

Host *.INSIDE_DOMAIN
ProxyCommand ssh ENTRY_POINT nc %h %p

This way, if you are outside, you can $ ssh machine.inside_domain. If you are inside and have dns resolving, you can $ ssh machine. That works well for me.

Maybe someone can improve upon this idea, maybe changing DNS configuration so it automatically resolves machine to machine.inside_domain if you are outside and use the SSH entry point.

Fernando

Posted 2012-04-24T23:08:13.773

Reputation: 1