upstream: add a ssh_config RefuseConnection option that, when

encountered while processing an active section in a configuration file,
terminates ssh(1) with an error message that contains the argument to the
option.

This may be useful for expressing reminders or warnings in config
files, for example:

Match host foo
       RefuseConnection "foo is deprecated, use splork instead"

ok djg

OpenBSD-Commit-ID: 5b0072fcd08ad3932ab21e27bbaa66b008d44237

diff --git a/readconf.c b/readconf.c
index 97f34abff1088186abf30c00af9d7b59d89c3f69..b5a9f925fc4ab8d79b3ac2a0b50565f0c33d8a8c 100644 (file)
--- a/readconf.c
+++ b/readconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.c,v 1.400 2025/06/24 09:22:03 djm Exp $ */
+/* $OpenBSD: readconf.c,v 1.401 2025/07/23 05:07:19 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -180,7 +180,7 @@ typedef enum {
        oPubkeyAcceptedAlgorithms, oCASignatureAlgorithms, oProxyJump,
        oSecurityKeyProvider, oKnownHostsCommand, oRequiredRSASize,
        oEnableEscapeCommandline, oObscureKeystrokeTiming, oChannelTimeout,
-       oVersionAddendum,
+       oVersionAddendum, oRefuseConnection,
        oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported
 } OpCodes;
 
@@ -332,6 +332,7 @@ static struct {
        { "obscurekeystroketiming", oObscureKeystrokeTiming },
        { "channeltimeout", oChannelTimeout },
        { "versionaddendum", oVersionAddendum },
+       { "refuseconnection", oRefuseConnection },
 
        { NULL, oBadOption }
 };
@@ -2509,6 +2510,19 @@ parse_pubkey_algos:
                argv_consume(&ac);
                break;
 
+       case oRefuseConnection:
+               arg = argv_next(&ac, &av);
+               if (!arg || *arg == '\0') {
+                       error("%.200s line %d: Missing argument.",
+                           filename, linenum);
+                       goto out;
+               }
+               if (*activep) {
+                       fatal("%.200s line %d: RefuseConnection: %s",
+                           filename, linenum, arg);
+               }
+               break;
+
        case oDeprecated:
                debug("%s line %d: Deprecated option \"%s\"",
                    filename, linenum, keyword);

diff --git a/ssh_config.5 b/ssh_config.5
index 894d738310c853e8c05a9537513026afa984d2f6..14115fff1e1eff63b800390798b8e52992df079b 100644 (file)
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.413 2025/03/03 06:53:09 dtucker Exp $
-.Dd $Mdocdate: March 3 2025 $
+.\" $OpenBSD: ssh_config.5,v 1.414 2025/07/23 05:07:19 djm Exp $
+.Dd $Mdocdate: July 23 2025 $
 .Dt SSH_CONFIG 5
 .Os
 .Sh NAME
@@ -1715,6 +1715,15 @@ disabling or enabling the OpenSSH host-bound authentication protocol
 extension required for restricted
 .Xr ssh-agent 1
 forwarding.
+.It Cm RefuseConnection
+Allows a connection to be refused by the configuration file.
+If this option is specified, then
+.Xr ssh 1
+will terminate immediately before attempting to connect to the remote
+host, display an error message that contains the argument to this keyword
+and return a non-zero exit status.
+This option may be useful to express reminders or warnings to the user via
+.Nm .
 .It Cm RekeyLimit
 Specifies the maximum amount of data that may be transmitted or received
 before the session key is renegotiated, optionally followed by a maximum