How to match network inside SSH client configuration

Match match specific network inside SSH client configuration file using simple Python helper script.

Create ~/.ssh/ipnet.py Python helper script.

#!/usr/bin/env python3
# SSH helper - Check if hostname belongs to network
# Usage: ipnet.py network hostname
# Example: ipnet.py 172.16.0.0/16 172.16.0.1
# Exit codes: 0 - true, 1 - false

import ipaddress
import socket
import sys

exit(
    int(
        not ipaddress.ip_address(socket.gethostbyname(sys.argv[2]))
            in ipaddress.ip_network(sys.argv[1])
    )
)

Ensure that executable bit is set.

$ chmod +x ~/.ssh/pynet.py 

Use Python helper script to perform match operation.

Match exec "~/.ssh/pynet.py 172.16.0.0/16 %h"
  ProxyJump [email protected]:22
  User milosz

Match User milosz
  IdentityFile ~/.ssh/milosz

Match LocalUser milosz
  IdentityAgent /home/milosz/.ssh/agent_socket

Verify configuration.

$ ssh -A 172.16.51.15 -vv
OpenSSH_8.1p1 Ubuntu-5, OpenSSL 1.1.1d  10 Sep 2019
debug1: Reading configuration data /home/milosz/.ssh/config
debug2: checking match for 'exec "~/.ssh/pynet.py 172.16.0.0/16 %h"' host 172.16.51.15 originally 172.16.51.15
debug1: Executing command: '~/.ssh/pynet.py 172.16.0.0/16 172.16.51.15'
debug2: match found
debug2: checking match for 'User milosz' host 172.16.51.15 originally 172.16.51.15
debug2: match found
debug2: checking match for 'LocalUser milosz' host 172.16.51.15 originally 172.16.51.15
debug2: match found
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: resolve_canonicalize: hostname 172.16.51.15 is address
debug1: Setting implicit ProxyCommand from ProxyJump: ssh -l milosz -p 22 -vv -W '[%h]:%p' 192.0.2.44
debug1: Executing proxy command: exec ssh -l milosz -p 22 -vv -W '[172.16.51.15]:22' 192.0.2.44
debug1: identity file /home/milosz/.ssh/milosz type 0
debug1: Local version string SSH-2.0-OpenSSH_8.1p1 Ubuntu-5
OpenSSH_8.1p1 Ubuntu-5, OpenSSL 1.1.1d  10 Sep 2019
debug1: Reading configuration data /home/milosz/.ssh/config
debug2: checking match for 'exec "~/.ssh/pynet.py 172.16.0.0/16 %h"' host 192.0.2.44 originally 192.0.2.44
debug1: Executing command: '~/.ssh/pynet.py 172.16.0.0/16 192.0.2.44'
debug2: match not found
debug2: checking match for 'User milosz' host 192.0.2.44 originally 192.0.2.44
debug2: match found
debug2: checking match for 'LocalUser milosz' host 192.0.2.44 originally 192.0.2.44
debug2: match found
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: resolve_canonicalize: hostname 192.0.2.44 is address
debug2: ssh_connect_direct
debug1: Connecting to 192.0.2.44 [192.0.2.44] port 22.
debug1: Connection established.
[...]
Authenticated to 192.0.2.44 ([192.0.2.44]:22).
[...]
Authenticated to 172.16.51.15 (via proxy).
[...]
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.18.0-15-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

 * Multipass 1.0 is out! Get Ubuntu VMs on demand on your Linux, Windows or
   Mac. Supports cloud-init for fast, local, cloud devops simulation.

     https://multipass.run/

 * Latest Kubernetes 1.18 beta is now available for your laptop, NUC, cloud
   instance or Raspberry Pi, with automatic updates to the final GA release.

     sudo snap install microk8s --channel=1.18/beta --classic

 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch
Last login: Mon Mar  2 22:43:23 2020 from 192.0.2.44
[email protected]:~$

Oh, that was fun!