Image of the glider from the Game of Life by John Conway
Skip to content

Use Your SSH Client To Help Prevent Stupid Mistakes

I have chosen the path of system administration for my career. It's been very rewarding, and I really love my job. However, there are times when I make stupid mistakes that cost others money. I'm sure we've all been there. It's stressful, embarrassing and can really shake you up, if you mistake is bad enough. Many times, this happens because you fat-fingered an IP address, hostname, or something else, and your SSH client takes you somewhere you shouldn't be. If that's the case, hopefully this post can help.

According to the ssh_config(5) manual:

             Specifies a command to execute on the local machine after suc‐
             cessfully connecting to the server.  The command string extends
             to the end of the line, and is executed with the user's shell.
             The following escape character substitutions will be performed:
             ‘%d’ (local user's home directory), ‘%h’ (remote host name), ‘%l’
             (local host name), ‘%n’ (host name as provided on the command
             line), ‘%p’ (remote port), ‘%r’ (remote user name) or ‘%u’ (local
             user name).

             The command is run synchronously and does not have access to the
             session of the ssh(1) that spawned it.  It should not be used for
             interactive commands.

             This directive is ignored unless PermitLocalCommand has been

As mentioned, the used of LocalCommand executes a local command after successfully connecting to the server. I figured this would be a great way to print something to the terminal, letting me know whether or not my client just connected to a production machine, a QA machine, or a development machine.

I wanted to use colors, to make it obvious. I don't want to make the same mistake twice, so I want it painfully clear what machine I just went to. As a result, if I go to a development or home machine, use green. If I enter a QA machine, use yellow. If I enter a production, or other serious machine I probably shouldn't be on, use red. As a result, I can take advantage of the ANSI escape sequences for color. In case you forgot, here are the colors and modes:


Text attributes
0 Reset
1 Bright
2 Dim
4 Underscore
5 Blink
7 Reverse
8 Hidden

Foreground Colors
30 Black
31 Red
32 Green
33 Yellow
34 Blue
35 Magenta
36 Cyan
37 White

Background Colors
40 Black
41 Red
42 Green
43 Yellow
44 Blue
45 Magenta
46 Cyan
47 White

So, if I were about to SSH to a production machine, I probably want to make it as obvious as possible. Thus, I could print to the terminal, in blinking, bold, red text "PRODUCTION". I could use the following command:

print "\e[1;5;31PRODUCTIONm\e[0;m"

Notice that at the end of the sequence, I'm resetting the text attributes. This is because if you don't do this, you will keep the text attributes in your terminal, and that may have an affect on how the text is displayed when in your remote SSH connection.

A possible ~/.ssh/config file could look like this:

Host development
    Hostname dev.domain.tld
    LocalCommand print "\e[1;32mDevelopment\e[0;m"
    PermitLocalCommand yes

Host qa
    Hostname qa.domain.tld
    LocalCommand print "\e[1;33mQuality Assurance\e[0;m"
    PermitLocalCommand yes

Host production
    Hostname prod.domain.tld
    LocalCommand print "\e[1;5;32mPRODUCTION\e[0;m"
    PermitLocalCommand yes

Here is a screenshot in action (without the blink):

{ 13 } Comments