SSH config issues - not correctly understanding host-specific config blocks?

eythian · December 24, 2025, 2:03pm

Hi! I’ve just been playing with atuin-desktop in the past day or so, and have encountered an issue where it doesn’t seem to be fulling processing/obeying .ssh/config.

I’m trying to use an SSH block to run commands on foo.dev.example.com and the script block just hangs (pressing the stop button doesn’t abort it also.)

In my config I have:

Host *.dev.example.com
    ProxyCommand        none

However later in the config, I have:

Host !*.dev.example.com *.example.com !*.local
    ProxyCommand        ssh -W %r@%h:%p jump.example.com

i.e. don’t use a jump host for dev, but do for most other things.

It just so happens that I don’t need to use the jump host very often, so its certificate has changed since I last did. This means that when I run atuin-desktop from the command line (to see the logs), I can see the standard warning from it attempting to connect to jump.example.com, which it shouldn’t be needing to do:

[2025-12-24T13:23:46.076914668Z][ERROR][tauri_plugin_updater::updater] failed to check for updates: error sending request for url (https://releases.atuin.sh/linux/x86_64/0.2.11)
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ED25519 key sent by the remote host is
SHA256:...
Please contact your system administrator.
Add correct host key in /home/robin/.ssh/known_hosts to get rid of this message.
Offending ED25519 key in /home/robin/.ssh/known_hosts:14
  remove with:
  ssh-keygen -f '/home/robin/.ssh/known_hosts' -R 'jump.example.com'
Host key for jump.example.com has changed and you have requested strict checking.
Host key verification failed.
[2025-12-24T13:24:06.176886272Z][INFO][tracing::span] read_socket;

This warning is expected for trying to connect to that host, what’s unexpected is that it’s trying to do that at all. My best guess is that it’s not parsing the ! in the config.

I’m running on Ubuntu with atuin-desktop installed via .deb file, in case it’s relevant.

Thanks for this application, I can see it being useful!

(as an aside, it’d be neat to be able to run commands inside a kubectl exec context, similar to the ssh one.)

benkimball · December 26, 2025, 10:55pm

I’m researching a similar problem and I came across this issue in the russh-config repo. Atuin Desktop uses russh-config to parse the SSH config file, and it looks like russh-config does not support all of the things that OpenSSH does. I don’t know if this is the cause of your symptom, but I thought it might be worth sharing in case it helps you proceed.

eythian · December 27, 2025, 7:41pm

Thanks, that certainly sounds likely.

benkimball · December 31, 2025, 1:29am

Sadly I tried replacing all of the placeholders and wildcards in my SSH config with hardcoded values and I still get hangs when I try to connect to my SSH host. Let me know if you find success!