+# Arhitectura SSH Curenta

+

+Acest document descrie configuratia activa din `/home/nextgen/.ssh`. Sursa versionata a proiectului este in `/home/nextgen/projects/ssh-infrastructure`; `/home/nextgen/.ssh` ramane runtime OpenSSH si nu contine repo-ul git. Ultima actualizare: 2026-05-15. Jurnalul istoric `ssh-jump-attempts.md` este obsolete si poate fi consultat doar din git.

+

+## Structura Locala

+

+```text

+/home/nextgen/.ssh/

+  config                        <- single-file generat din inventory/hosts.yaml

+  known_hosts

+  known_hosts.old

+  authorized_keys

+  keys/

+    id_ed25519

+    id_ed25519.pub

+    elastix-root.pub

+  .doc/

+    ssh-jump-architecture.md

+

+~/.local/bin/

+  ssh

+  scp

+  sftp

+```

+

+Reguli:

+

+- Proiectul versionat sta in `~/projects/ssh-infrastructure`; `~/.ssh` ramane runtime OpenSSH.

+- Cheile de identitate stau in `~/.ssh/keys`.

+- Hosturile SSH sunt definite in `inventory/hosts.yaml`, apoi generate in `generated/*.conf`.

+- `~/.ssh/config` este instalat din `generated/client.conf` prin `tools/deploy-local.sh`; nu se editeaza manual.

+- Scripturile sursa stau versionate in `scripts/` in repo.

+- `~/.local/bin/` contine copiile executabile instalate de `tools/deploy-local.sh`; nu se editeaza manual.

+- `authorized_keys`, `known_hosts` si `config` raman in radacina `.ssh`, pentru compatibilitate cu OpenSSH.

+- `j1-relay.sh`, `ssh-proxy.sh`, `ensure-ssh-agent-bridge.sh` si `ensure-ssh-jump.sh` au fost eliminate; `ssh-wrapper.sh` ruleaza clientul SSH activ pe `is-jumper`, unde se afla cheia fizica.

+

+## Wrappers locale

+

+Scripturile sursa sunt in `scripts/` in repo; `~/.local/bin/` contine copiile executabile instalate local.

+

+| Comanda | Script | Mecanism |

+| --- | --- | --- |

+| `ssh` | `ssh-wrapper.sh` | parseaza args, rezolva hostul via `ssh -G`, construieste sesiunea nested |

+| `scp` | `scp-wrapper.sh` | apeleaza `/usr/bin/scp -S ~/.local/bin/ssh` — rutarea e delegata wrapper-ului ssh |

+| `sftp` | `sftp-wrapper.sh` | apeleaza `/usr/bin/sftp -S ~/.local/bin/ssh` — idem |

+

+- Compatibilitatea SSH pentru hop-ul final este responsabilitatea serverelor `J1`/`J2`; wrapperele locale nu reproduc algoritmi, KEX, cipher-uri sau `OPENSSL_CONF`.

+- Daca PATH-ul include `~/.local/bin` inaintea `/usr/bin`, comenzile `ssh`/`scp`/`sftp` folosesc automat aceste wrappers.

+

+## Arhitectura rețelei

+

+```

+192.168.2.0/24  — rețea locală de birou

+  is-toltec  (workstation-ul local)

+  is-jumper  192.168.2.100  (gardian cheie + client VPN)

+

+10.253.51.0/24  — rețea internă companie (acces via VPN de pe is-jumper)

+  J1  10.253.51.50:25904

+  J2  10.253.51.52:25904

+  hosturi finale (voip, porta, radius etc.)

+```

+

+**is-jumper** (192.168.2.100) este pe rețeaua locală de birou — accesibil direct din is-toltec, **fără VPN**. Este un **client** VPN (nu server): prin el se obține acces la `10.253.51.0/24`. Este **gardianul cheii fizice** (card RSA 4096) deoarece deservește mai mulți utilizatori din `192.168.2.0/24`.

+

+**Cheia fizică** (cardul) este montată exclusiv pe is-jumper și expusă prin GPG agent la `/run/user/0/gnupg/S.gpg-agent.ssh`. Wrapper-ul nu mai forwardează acest socket pe mașina locală; în schimb intră pe `is-jumper`, setează `SSH_AUTH_SOCK` la socketul local de acolo și rulează de pe `is-jumper` clientul SSH către J1/J2/j1/j2.

+

+## Lanțul de acces

+

+Calea standard (VPN activ, J1):

+

+```text

+local

+  -> is-jumper (192.168.2.100, executor SSH + cheie fizica)

+  -> J1 (10.253.51.50:25904)

+  -> host final

+```

+

+Calea publică (urgențe, fără rută VPN, j1/j2):

+

+```text

+local

+  -> is-jumper (192.168.2.100, executor SSH + cheie fizica)

+  -> j1.next-gen.ro:25904

+  -> host final

+```

+

+Sesiuni interactive pe J1/J2:

+

+```text

+local -> is-jumper -> J1

+local -> is-jumper -> J2

+```

+

+Nu mai exista bridge local de agent (`/tmp/is-jumper-agent.sock`). Cheia fizica ramane folosita local pe `is-jumper`.

+

+Jumps disponibile via flaguri wrapper:

+

+| Flag | Jump | Rută | Când |

+| --- | --- | --- | --- |

+| implicit / `-J1` | J1 (10.253.51.50) | client SSH rulat pe is-jumper | standard |

+| `-J2` | J2 (10.253.51.52) | client SSH rulat pe is-jumper | failover VPN |

+| `-j1` | j1.next-gen.ro | client SSH rulat pe is-jumper | urgențe |

+| `-j2` | j2.next-gen.ro | client SSH rulat pe is-jumper | urgențe |

+

+## Scripturi

+

+### ssh-wrapper.sh

+

+Parseaza argumentele `ssh`, rezolva hostul via `ssh -G`, construieste sesiunea nested activa pe `is-jumper`:

+

+```

+exec /usr/bin/ssh is-jumper "SSH_AUTH_SOCK=/run/user/0/gnupg/S.gpg-agent.ssh ssh -A <jump_host> '<final_ssh_cmd>'"

+```

+

+Bypass automat (pass-through direct) pentru:

+- `is-jumper` / `192.168.2.100`

+- Flaguri de interogare: `-G`, `-Q`, `-V`, `--help`

+

+Pentru J1/J2/j1/j2, wrapper-ul conecteaza intai local la `is-jumper`, apoi ruleaza acolo `ssh -A` cu `SSH_AUTH_SOCK=/run/user/0/gnupg/S.gpg-agent.ssh`. Pentru hosturile finale, comanda de pe jump ruleaza inca un `ssh` catre hostul final. Pentru `scp`/`sftp`, wrapper-ul pastreaza forma de subsystem `-s ... sftp`.

+

+### scp-wrapper.sh / sftp-wrapper.sh

+

+Wrappers subtiri care injecteaza `-S ~/.local/bin/ssh` la apelul sistemului:

+

+```bash

+/usr/bin/scp -S ~/.local/bin/ssh "$@"

+/usr/bin/sftp -S ~/.local/bin/ssh "$@"

+```

+

+Rutarea este delegata integral catre `ssh-wrapper.sh`; `scp`/`sftp` raman transparente pentru utilizator.

+

+Nu mai exista scripturi active bazate pe Python, ProxyJump sau port-forwarding externe; vechiul helper Python a fost eliminat dupa ce a fost semnalat de Sentinel.

+

+## Config SSH

+

+`~/.ssh/config` este un single-file generat din `inventory/hosts.yaml`:

+

+```sshconfig

+# Generated by tools/generate-configs.py.

+# Do not edit this file directly; edit inventory/hosts.yaml.

+```

+

+Generatorul produce:

+

+| Fisier | Destinatie | Rol |

+| --- | --- | --- |

+| `generated/client.conf` | client local | config runtime pentru `~/.ssh/config` |

+| `generated/is-jumper.conf` | is-jumper | config pentru jump aliases |

+| `generated/j1.conf` | J1 | hosturi finale |

+| `generated/j2.conf` | J2 | hosturi finale |

+

+Reguli de configurare:

+

+- hosturile finale definesc doar `HostName`, `User` si `Port`;

+- pe client, hosturile importate din IFS folosesc drept `HostName` numele

+  canonic deja cunoscut pe jump, iar IP-ul ramane alias pentru autocomplete;

+- `is-jumper` defineste si cheia locala de acces (`IdentityFile`, `IdentitiesOnly`);

+- wrapperul construieste ruta nested prin `is-jumper -> J1` implicit;

+- optiunile comune per-grup (ConnectTimeout etc.) stau in `inventory/hosts.yaml`;

+- `generated/j1.conf` si `generated/j2.conf` mostenesc blocul global company-managed

+  si omit `User`/`Port` cand toate aliasurile unui host sunt deja acoperite de

+  regulile `Match Host` de pe jump;

+- `generated/j1.conf` si `generated/j2.conf` nu mai includ hosturile care folosesc

+  doar defaulturi mostenite; raman doar override-urile efective si exceptiile

+  per-pattern care trebuie pastrate pe jump;

+- `generated/j1.conf` si `generated/j2.conf` sunt generate fara comentarii,

+  doar cu stanza-urile SSH necesare;

+- hosturile Radius folosesc acelasi flux nested prin J1 ca restul hosturilor finale.

+

+Aliasuri principale:

+

+| Alias | Rol | Rutare |

+| --- | --- | --- |

+| `is-jumper` | VPN gateway + gardian cheie fizica | direct (IP 192.168.2.100) |

+| `J1`, `J2` | jump hosts, login interactiv | wrapper prin is-jumper |

+| `voip-prov`, `voip-prov-root` | host VoIP provider | wrapper nested prin J1 |

+| `porta-sip`, `porta-web`, `porta-db`, `porta-configurator` | PortaOne MR30 | wrapper nested prin J1 |

+| `elastix` | host vechi | wrapper nested prin J1 |

+| `*.radius-db`, `*.radius-pppoe` | baze Radius regionale | wrapper nested prin J1 |

+

+`J1` si `J2` nu mai folosesc `ProxyJump`, `IdentityAgent` sau `RemoteCommand` in configul local; wrapper-ul orchestreaza explicit conexiunea prin `is-jumper`.

+

+## PortaOne

+

+Aliasuri PortaOne:

+

+- `porta-sip`, `p12-sip`, `p12`, `p12.voip.ro` -> `193.16.148.4`

+- `porta-web`, `porta-api`, `porta-slave`, `porta7`, `telefonie.next-gen.ro` -> `193.16.148.7`

+- `porta-db`, `porta-master`, `porta1` -> `193.16.148.11`

+- `porta-configurator`, `porta-config` -> `193.16.148.13`

+

+Aceste hosturi folosesc ruta nested din wrapper; eventualele optiuni de compatibilitate ale hop-ului final sunt asigurate pe `J1`/`J2`.

+

+## Verificari

+

+Verificare configuratie fara conectare:

+

+```bash

+ssh -G is-jumper | grep -E '^(hostname|user|identityfile|identitiesonly)'

+ssh -G porta-db | grep -E '^(hostname|user|port)'

+ssh -G falticeni.radius-db | grep -E '^(hostname|user|port|connecttimeout)'

+```

+

+Verificare read-only cu conectare:

+

+```bash

+ssh porta-db hostname

+ssh porta-sip 'service porta-sip status'

+ssh voip-prov hostname

+scp porta-db:/etc/hosts /tmp/test-scp

+sftp porta-db <<< 'ls /'

+```

+

+## Mentenanta

+

+- Cand adaugi o cheie noua, pune-o in `~/.ssh/keys` si seteaza permisiuni `600` pentru cheia privata.

+- Cand adaugi un host nou: adauga-l in `inventory/hosts.yaml`, ruleaza generatorul si apoi `tools/deploy-local.sh`.

+- Cand adaugi un domeniu nou: adauga un grup nou in `inventory/hosts.yaml`.

+- Cand adaugi un wrapper nou: adauga scriptul in `scripts/` in repo si lasa `tools/deploy-local.sh` sa il instaleze in `~/.local/bin/`.

+- Nu readuce `ProxyJump`, `IdentityAgent /tmp/is-jumper-agent.sock`, helperul Python sau port-forwarding per-host.

+- Nu activa `ForwardAgent yes` pe hosturile finale fara un motiv explicit.

+- Dupa modificari la wrappers sau config, verifica: `ssh -G <alias>` si cel putin un alias read-only (`ssh porta-db hostname`).

+# Ignore SSH agent state and dynamic socket directories

+agent/

+

+# Ignore known hosts, authorized keys, and private keys

+authorized_keys

+known_hosts

+known_hosts.old

+keys/

+*.pem

+*.key

+*.ppk

+*.der

+*.csr

+

+# Ignore local or temporary files

+*.swp

+*.tmp

+.DS_Store

+__pycache__/

+

+# Ignore generated deploy artifacts

+generated/

+SSH_SETUP_SUMMARY.md

+

+# Ignore local import/export work areas and ad-hoc overlay trees

+import/

+conf.d/

+# SSH Infrastructure

+

+Source-controlled SSH routing and wrapper configuration for the Next-Gen jump

+infrastructure.

+

+## Runtime vs project

+

+- Project source: `~/Documents/Workspaces/Bogdan/ssh-infrastructure`

+- OpenSSH runtime: `~/.ssh`

+

+Keep secrets and machine-local state out of this repository:

+

+- private keys: `~/.ssh/keys/`

+- `authorized_keys`

+- `known_hosts`

+- socket or agent state

+

+The runtime `~/.ssh/config` is a generated single-file OpenSSH config. The

+project is the place to edit wrappers, documentation, inventory, and generator

+code.

+

+Deploy the local runtime copy with:

+

+```bash

+tools/deploy-local.sh

+```

+

+The deploy script generates `generated/client.conf`, installs it as

+`~/.ssh/config`, and installs the wrapper commands into `~/.local/bin`.

+It does not touch keys, `authorized_keys`, or `known_hosts`.

+

+## Version control

+

+This directory is the git repository for source files only. Generated configs,

+local state, keys, known hosts, and handoff notes stay out of version control.

+

+Track source changes with:

+

+```bash

+git status

+git add inventory schema scripts tools .doc README.md .gitignore

+git commit

+```

+

+## Current client layout

+

+```text

+~/.ssh/config

+~/.local/bin/ssh

+~/.local/bin/scp

+~/.local/bin/sftp

+```

+

+The wrapper sources stay versioned in `scripts/` inside the project; deploy

+installs executable copies into `~/.local/bin` and removes the obsolete

+`~/.ssh/scripts` runtime layout from older checkouts.

+

+## Source of Truth

+

+The structured source of truth starts in:

+

+```text

+inventory/hosts.yaml

+schema/hosts.schema.json

+tools/generate-configs.py

+```

+

+The `generated/*.conf` files are deploy artifacts. They are ignored by git and

+can be recreated at any time with `tools/deploy-local.sh`.

+

+## Sync from upstream

+

+Pull the upstream inventory, apply this machine's local `is-jumper` key override,

+regenerate, and deploy if the inventory changed:

+

+```bash

+tools/sync-hosts-from-upstream.sh

+```

+

+Defaults:

+

+```text

+UPSTREAM_SSH_TARGET=nextgen@192.168.2.103

+UPSTREAM_HOSTS_PATH=/home/nextgen/projects/ssh-infrastructure/inventory/hosts.yaml

+LOCAL_IS_JUMPER_IDENTITY_FILE=~/.ssh/keys/is-jumper_ed25519

+DEPLOY_AFTER_SYNC=1

+```

+

+Useful overrides:

+

+```bash

+UPSTREAM_HOSTS_FILE=/tmp/hosts.yaml tools/sync-hosts-from-upstream.sh

+DEPLOY_AFTER_SYNC=0 tools/sync-hosts-from-upstream.sh

+FORCE_DEPLOY=1 tools/sync-hosts-from-upstream.sh

+```

+

+Known defaults captured there:

+

+- jump hosts default to user `bogdan.timofte`;

+- jump hosts default to port `24`, with explicit overrides such as `25904`;

+- final hosts default to user `bogdan` because most distributions do not like

+  dotted local usernames;

+- when imported configs disagree between `bogdan` and `root`, `bogdan` wins;

+- final hosts default to port `22`, with explicit overrides where needed.

+- Cisco/TACACS router entries use `auth: password_interactive`; generated SSH

+  config marks them so the wrapper does not force `BatchMode=yes`.

+- Imported IFS devices use the canonical hostname already known on the jump

+  servers as client-side `HostName`, while IPs remain available as aliases for

+  autocomplete.

+- J1/J2 configs inherit the company-managed global compatibility block and

+  selected `Match Host` user/port defaults from the jump servers instead of

+  duplicating them in generated output.

+- J1/J2 configs only emit host entries when there is an effective override to

+  keep on the jump side; hosts that only use inherited defaults are omitted.

+- J1/J2 generated configs are stripped down to functional SSH stanzas only,

+  without generated comments or group annotations.

+version: 1

+facts:

+  jump_default_port: 24

+  jump_default_user: bogdan.timofte

+  common_distribution_user: bogdan

+  notes:

+  - Most distributions do not like dots in local usernames, so most final-host installs

+    use bogdan.

+  - In bogdan/root import conflicts, bogdan wins.

+ssh_options:

+  legacy_compatibility:

+    description: Company-managed jump global ssh_config compatibility options

+    options:

+      KexAlgorithms: +diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1

+      Ciphers: +aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc

+      HostKeyAlgorithms: +ssh-rsa

+      PubkeyAcceptedAlgorithms: +ssh-rsa

+      ForwardAgent: true

+      ForwardX11: false

+      PasswordAuthentication: true

+      HostbasedAuthentication: false

+      CheckHostIP: true

+      StrictHostKeyChecking: ask

+      Tunnel: false

+      SendEnv: LANG LC_* GIT_* ANSIBLE_*

+      HashKnownHosts: true

+company_managed:

+  jump_hosts:

+    inherit_globals_on_targets:

+    - j1

+    - j2

+    match_defaults:

+    - patterns:

+      - '*.dr0?'

+      - '*.ar0?'

+      - '*.cr01'

+      - '*.br01'

+      - '*.as??'

+      - '*.cs0?'

+      - '*.tv01'

+      - '*.ds0?'

+      - bucuresti.ines.dcm01

+      - bucuresti.nxdata.voip

+      - bucuresti.dolce.tv01

+      - '*dasan*'

+      user: bogdan.timofte

+      port: 22

+    - patterns:

+      - '*.olt'

+      user: bogdan.timofte@next-gen.ro

+      port: 22

+    - patterns:

+      - '*.dhcp'

+      - '*.shaper*'

+      - '*.sentinel'

+      - '*.scan'

+      - redmine

+      - speedtest

+      - webdevel

+      - scripting

+      - zabbix

+      - itpve-*

+      - cacti

+      - mx

+      - bucuresti.radius-pppoe

+      - flood-detector

+      - tacacs2

+      - tacacs1

+      - ns2

+      - ns1

+      - backup1

+      - gitlab

+      - nlg

+      - nexus

+      - dhcp-cmts

+      - '*.radius-db'

+      - jump1

+      - aggregator-buc

+      - mappix

+      - docker.*

+      - cpanel

+      - jump2

+      - nocpve-*

+      - ocvpn

+      user: bogdan.timofte

+      port: 24

+defaults:

+  jump:

+    user: bogdan.timofte

+    port: 24

+  final_host:

+    user: bogdan

+    port: 22

+    connect_timeout: 10

+    connection_attempts: 1

+entrypoints:

+  is_jumper:

+    aliases:

+    - is-jumper

+    hostname: 192.168.2.100

+    user: root

+    identity_file: ~/.ssh/keys/is-jumper_ed25519

+    identities_only: true

+jumps:

+  j1:

+    aliases:

+    - j1

+    hostname: 10.253.51.50

+    port: 25904

+    role: primary_vpn

+  j2:

+    aliases:

+    - j2

+    hostname: 10.253.51.52

+    port: 25904

+    role: failover_vpn

+  j1_public:

+    aliases:

+    - j1

+    hostname: j1.next-gen.ro

+    port: 25904

+    role: emergency_public

+  j2_public:

+    aliases:

+    - j2

+    hostname: j2.next-gen.ro

+    port: 25904

+    role: emergency_public

+groups:

+  voip_applications:

+    description: PBX systems

+    default_jump: j1

+    hosts:

+      vo52:

+        aliases:

+        - vo52

+        - vo522

+        - vo52-new

+        - 10.253.51.140

+        hostname: 10.253.51.140

+        user: root

+      vo52_old:

+        aliases:

+        - vo52-old

+        hostname: 193.16.148.152

+        user: root

+      vo53:

+        aliases:

+        - vo53

+        - 193.16.148.153

+        hostname: 193.16.148.153

+        port: 60011

+      elastix:

+        aliases:

+        - elastix

+        - 10.253.50.62

+        - 188.173.1.15

+        hostname: 10.253.50.62

+        user: root

+      ss7:

+        aliases:

+        - ss7

+        hostname: 10.253.51.138

+        user: root

+      voip_pbx_dispecerat:

+        aliases:

+        - voip-pbx-dispeceri

+        - pbx-dispeceri

+        - 10.253.51.134

+        hostname: 10.253.51.134

+        user: bogdan

+      voip_pbx_bo:

+        aliases:

+        - voip-pbx-bo

+        - pbx-bo

+        - 10.253.51.135

+        hostname: 10.253.51.135

+        user: bogdan

+  voip_network:

+    description: VoIP network infrastructure

+    default_jump: j1

+    hosts:

+      sbc0:

+        aliases:

+        - sbc0

+        - 10.253.51.130

+        - 10.20.30.10

+        - 193.16.148.197

+        hostname: 10.253.51.130

+      sbc1:

+        aliases:

+        - sbc1

+        - 10.253.51.131

+        - 10.20.30.10

+        - 193.16.148.194

+        - 193.16.148.195

+        - 193.16.148.196

+        - 193.16.148.198

+        - 193.16.148.199

+        hostname: 10.253.51.131

+      sbc2:

+        aliases:

+        - sbc2

+        - 10.253.51.132

+        - 10.20.30.11

+        hostname: 10.253.51.132

+      voip_prov:

+        aliases:

+        - voip-prov

+        - 10.253.51.139

+        hostname: 10.253.51.139

+      portabilitate:

+        aliases:

+        - portabilitate

+        - bdc

+        - 10.253.51.133

+        - 89.165.199.20

+        - 89.165.232.232

+        hostname: 10.253.51.133

+  porta:

+    description: PortaOne MR30 legacy

+    default_jump: j1

+    hosts:

+      porta_sip:

+        aliases:

+        - porta-sip

+        - p12-sip

+        - p12

+        - p12.voip.ro

+        - 193.16.148.4

+        hostname: 193.16.148.4

+      porta_web:

+        aliases:

+        - porta-web

+        - porta-api

+        - porta-slave

+        - porta7

+        - telefonie.next-gen.ro

+        - 193.16.148.7

+        hostname: 193.16.148.7

+      porta_db:

+        aliases:

+        - porta-db

+        - porta-master

+        - porta1

+        - 193.16.148.11

+        hostname: 193.16.148.11

+      porta_config:

+        aliases:

+        - porta-config

+        - porta-configurator

+        - 193.16.148.13

+        hostname: 193.16.148.13

+  pppoe:

+    description: RADIUS and PPPOE systems

+    default_jump: j1

+    defaults:

+      user: bogdan.timofte

+      port: 24

+    patterns:

+      '*.radius-db':

+        connect_timeout: 10

+        connection_attempts: 1

+      '*.radius-pppoe':

+        connect_timeout: 10

+        connection_attempts: 1

+    hosts:

+      radauti_radius_db:

+        aliases:

+        - radauti.radius-db

+        - 94.53.112.30

+        - 10.132.96.121

+        hostname: radauti.radius-db

+      pascani_radius_db:

+        aliases:

+        - pascani.radius-db

+        - 46.214.144.7

+        - 10.132.0.121

+        hostname: pascani.radius-db

+      falticeni_radius_db:

+        aliases:

+        - falticeni.radius-db

+        - 46.214.136.7

+        - 10.132.64.121

+        hostname: falticeni.radius-db

+      tg_frumos_radius_db:

+        aliases:

+        - tg_frumos.radius-db

+        - 94.53.170.7

+        - 10.132.32.121

+        hostname: tg_frumos.radius-db

+      buhusi_radius_db:

+        aliases:

+        - buhusi.radius-db

+        - 46.214.240.7

+        - 10.132.128.121

+        hostname: buhusi.radius-db

+      bucuresti_radius_pppoe:

+        aliases:

+        - bucuresti.radius-pppoe

+        - 188.173.1.29

+        hostname: bucuresti.radius-pppoe

+  legacy_public:

+    description: Legacy public VoIP jump

+    default_jump: j1

+    hosts:

+      voce_pub:

+        aliases:

+        - voce-pub

+        - voce-pub2

+        - 188.173.0.230

+        hostname: 188.173.0.230

+        user: bogdan

+        port: 22

+  imported_jump_hosts:

+    description: Hosts imported from J1/J2 user SSH configs

+    default_jump: j1

+    defaults:

+      user: bogdan.timofte

+      port: 24

+    hosts:

+      host_10_132_128_121:

+        aliases:

+        - 10.132.128.121

+        hostname: 10.132.128.121

+      host_188_173_0_163:

+        aliases:

+        - 188.173.0.163

+        hostname: 188.173.0.163

+        user: bogdan

+      host_188_173_0_141:

+        aliases:

+        - 188.173.0.141

+        hostname: 188.173.0.141

+        user: bogdan

+  noc:

+    description: NOC hosts grouped by function

+    default_jump: j1

+    defaults:

+      user: bogdan.timofte

+      port: 24

+    pve:

+      description: Proxmox hosts

+      default_jump: j1

+      hosts:

+        nocpve_nxdata1:

+          aliases:

+          - nocpve-nxdata1

+          - 188.173.1.112

+          - 10.253.51.24

+          hostname: 10.253.51.24

+          user: root

+        nocpve_nxdata2:

+          aliases:

+          - nocpve-nxdata2

+          - 188.173.1.116

+          - 10.253.51.25

+          hostname: 10.253.51.25

+          user: root

+        nocpve_ines1:

+          aliases:

+          - nocpve-ines1

+          - 188.173.1.117

+          - 10.253.51.27

+          hostname: 10.253.51.27

+          user: root

+        nocpve_ines2:

+          aliases:

+          - nocpve-ines2

+          - 188.173.1.118

+          - 10.253.51.28

+          hostname: 10.253.51.28

+          user: root

+        itpve_ines1:

+          aliases:

+          - itpve-ines1

+          - 188.173.0.211

+          - 10.253.51.211

+          hostname: 10.253.51.211

+          user: root

+        itpve_ines2:

+          aliases:

+          - itpve-ines2

+          - 188.173.0.212

+          - 10.253.51.212

+          hostname: 10.253.51.212

+          user: root

+        itpve_ines3:

+          aliases:

+          - itpve-ines3

+          - 188.173.0.213

+          - 10.253.51.213

+          hostname: 10.253.51.213

+          user: root

+        itpve_ines4:

+          aliases:

+          - itpve-ines4

+          - 188.173.0.222

+          - 10.253.51.222

+          hostname: 10.253.51.222

+          user: root

+        itpve_bns1:

+          aliases:

+          - itpve-bns1

+          - 188.173.0.201

+          - 10.253.51.201

+          hostname: 10.253.51.201

+          user: root

+        itpve_bns2:

+          aliases:

+          - itpve-bns2

+          - 188.173.0.202

+          - 10.253.51.202

+          hostname: 10.253.51.202

+          user: root

+        itpve_bns3:

+          aliases:

+          - itpve-bns3

+          - 188.173.0.203

+          - 10.253.51.203

+          hostname: 10.253.51.203

+          user: root

+        itpve_bns4:

+          aliases:

+          - itpve-bns4

+          - 188.173.0.220

+          - 10.253.51.204

+          hostname: 10.253.51.204

+          user: root

+    backup:

+      description: Backup hosts

+      default_jump: j1

+      hosts:

+        backup_bns_01:

+          aliases:

+          - backup-bns-01

+          - 188.173.1.83

+          hostname: 188.173.1.83

+          user: root

+  huawei_olts:

+    description: Huawei OLT access equipment with interactive password auth

+    default_jump: j1

+    defaults:

+      user: bogdan.timofte@next-gen.ro

+      port: 22

+      auth: password_interactive

+    hosts:

+      pascani_olt:

+        aliases:

+        - pascani.olt

+        hostname: pascani.olt

+      radauti_olt:

+        aliases:

+        - radauti.olt

+        - 10.132.96.50

+        hostname: radauti.olt

+  cisco_routers:

+    description: Cisco and similar managed devices with interactive password auth

+    default_jump: j1

+    defaults:

+      user: bogdan.timofte

+      port: 22

+      auth: password_interactive

+    hosts:

+      pascani_headend_cr01:

+        aliases:

+        - pascani.headend.cr01

+        - 10.132.0.97

+        hostname: pascani.headend.cr01

+      buhusi_headend_as01:

+        aliases:

+        - buhusi.headend.as01

+        - 10.132.128.11

+        hostname: buhusi.headend.as01

+      buhusi_headend_as02:

+        aliases:

+        - buhusi.headend.as02

+        - 10.132.128.12

+        hostname: buhusi.headend.as02

+      buhusi_headend_as03:

+        aliases:

+        - buhusi.headend.as03

+        - 10.132.128.13

+        hostname: buhusi.headend.as03

+      buhusi_headend_as04:

+        aliases:

+        - buhusi.headend.as04

+        - 10.132.128.14

+        hostname: buhusi.headend.as04

+      buhusi_headend_as05:

+        aliases:

+        - buhusi.headend.as05

+        - 10.132.128.15

+        hostname: buhusi.headend.as05

+      buhusi_headend_dr01:

+        aliases:

+        - buhusi.headend.dr01

+        - 10.132.128.1

+        hostname: buhusi.headend.dr01

+      buhusi_headend_ds02:

+        aliases:

+        - buhusi.headend.ds02

+        - 10.132.128.5

+        hostname: buhusi.headend.ds02

+      falticeni_headend_dr01:

+        aliases:

+        - falticeni.headend.dr01

+        - 10.132.64.1

+        hostname: falticeni.headend.dr01

+      falticeni_headend_ds02:

+        aliases:

+        - falticeni.headend.ds02

+        - 10.132.64.5

+        hostname: falticeni.headend.ds02

+      falticeni_headend_ds04:

+        aliases:

+        - falticeni.headend.ds04

+        - 10.132.64.7

+        hostname: falticeni.headend.ds04

+      pascani_headend_as01:

+        aliases:

+        - pascani.headend.as01

+        - 10.132.0.5

+        hostname: pascani.headend.as01

+      pascani_headend_dr01:

+        aliases:

+        - pascani.headend.dr01

+        - 10.132.0.1

+        hostname: pascani.headend.dr01

+      pascani_headend_dr02:

+        aliases:

+        - pascani.headend.dr02

+        - 10.132.0.100

+        hostname: pascani.headend.dr02

+      pascani_headend_dr03:

+        aliases:

+        - pascani.headend.dr03

+        - 10.132.0.99

+        hostname: pascani.headend.dr03

+      pascani_headend_ds01:

+        aliases:

+        - pascani.headend.ds01

+        - 10.132.0.3

+        hostname: pascani.headend.ds01

+      pascani_headend_tv01:

+        aliases:

+        - pascani.headend.tv01

+        - 10.132.0.101

+        hostname: pascani.headend.tv01

+      radauti_headend_as01:

+        aliases:

+        - radauti.headend.as01

+        - 10.132.96.11

+        hostname: radauti.headend.as01

+      radauti_headend_dr01:

+        aliases:

+        - radauti.headend.dr01

+        - 172.30.255.101

+        hostname: radauti.headend.dr01

+      tg_frumos_headend_as01:

+        aliases:

+        - tg_frumos.headend.as01

+        - 10.132.32.11

+        hostname: tg_frumos.headend.as01

+      tg_frumos_headend_dr01:

+        aliases:

+        - tg_frumos.headend.dr01

+        - 10.132.32.1

+        hostname: tg_frumos.headend.dr01

+      tg_frumos_headend_ds01:

+        aliases:

+        - tg_frumos.headend.ds01

+        - 10.132.32.3

+        hostname: tg_frumos.headend.ds01

+  network_switches:

+    description: DCN switches with interactive password auth

+    default_jump: j1

+    defaults:

+      user: bogdan.timofte

+      port: 22

+      auth: password_interactive

+    hosts:

+      buhusi_psw_010:

+        aliases:

+        - buhusi-psw-010

+        - 10.132.128.20

+        hostname: buhusi-psw-010

+      buhusi_psw_011:

+        aliases:

+        - buhusi-psw-011

+        - 10.132.128.21

+        hostname: buhusi-psw-011

+      buhusi_psw_012:

+        aliases:

+        - buhusi-psw-012

+        - 10.132.128.22

+        hostname: buhusi-psw-012

+      buhusi_psw_013:

+        aliases:

+        - buhusi-psw-013

+        - 10.132.128.23

+        hostname: buhusi-psw-013

+      buhusi_psw_014:

+        aliases:

+        - buhusi-psw-014

+        - 10.132.128.24

+        hostname: buhusi-psw-014

+      buhusi_silistea_psw_001:

+        aliases:

+        - buhusi.silistea.psw-001

+        - 10.132.128.50

+        hostname: buhusi.silistea.psw-001

+      falticeni_psw_110:

+        aliases:

+        - falticeni-psw-110

+        - 10.132.64.20

+        hostname: falticeni-psw-110

+      radauti_headend_ag001:

+        aliases:

+        - radauti.headend.ag001

+        - 10.132.96.12

+        hostname: radauti.headend.ag001

+  mikrotik_routers:

+    description: MikroTik CRS/CCR equipment with interactive password auth

+    default_jump: j1

+    defaults:

+      user: admin

+      port: 24

+      auth: password_interactive

+    hosts:

+      buhusi_mikrotik_dr01:

+        aliases:

+        - buhusi.mikrotik.dr01

+        - 10.132.128.110

+        hostname: buhusi.mikrotik.dr01

+      buhusi_mikrotik_ds01:

+        aliases:

+        - buhusi.mikrotik.ds01

+        - 10.132.128.100

+        hostname: buhusi.mikrotik.ds01

+      buhusi_mikrotik_pppoe01:

+        aliases:

+        - buhusi.mikrotik.pppoe01

+        - 10.132.128.111

+        hostname: buhusi.mikrotik.pppoe01

+      buhusi_mikrotik_pppoe02:

+        aliases:

+        - buhusi.mikrotik.pppoe02

+        - 10.132.128.112

+        hostname: buhusi.mikrotik.pppoe02

+      falticeni_mikrotik_dr01:

+        aliases:

+        - falticeni.mikrotik.dr01

+        - 10.132.64.110

+        hostname: falticeni.mikrotik.dr01

+      falticeni_mikrotik_ds01:

+        aliases:

+        - falticeni.mikrotik.ds01

+        - 10.132.64.100

+        hostname: falticeni.mikrotik.ds01

+      falticeni_mikrotik_pppoe1:

+        aliases:

+        - falticeni.mikrotik.pppoe1

+        - 10.132.64.111

+        hostname: falticeni.mikrotik.pppoe1

+      falticeni_mikrotik_pppoe2:

+        aliases:

+        - falticeni.mikrotik.pppoe2

+        - 10.132.64.112

+        hostname: falticeni.mikrotik.pppoe2

+      pascani_mikrotik_pppoe1:

+        aliases:

+        - pascani.mikrotik.pppoe1

+        - 10.132.0.111

+        hostname: pascani.mikrotik.pppoe1

+      pascani_mikrotik_pppoe2:

+        aliases:

+        - pascani.mikrotik.pppoe2

+        - 10.132.0.112

+        hostname: pascani.mikrotik.pppoe2

+      radauti_mikrotik_pppoe1:

+        aliases:

+        - radauti.mikrotik.pppoe1

+        - 10.132.96.111

+        hostname: radauti.mikrotik.pppoe1

+      radauti_mikrotik_pppoe2:

+        aliases:

+        - radauti.mikrotik.pppoe2

+        - 10.132.96.112

+        hostname: radauti.mikrotik.pppoe2

+      tg_frumos_mikrotik_dr01:

+        aliases:

+        - tg_frumos.mikrotik.dr01

+        - 94.53.170.1

+        hostname: tg_frumos.mikrotik.dr01

+      tg_frumos_mikrotik_pppoe1:

+        aliases:

+        - tg_frumos.mikrotik.pppoe1

+        - 10.132.32.111

+        hostname: tg_frumos.mikrotik.pppoe1

+{

+  "$schema": "https://json-schema.org/draft/2020-12/schema",

+  "$id": "https://next-gen.local/ssh-infrastructure/hosts.schema.json",

+  "title": "SSH infrastructure inventory",

+  "type": "object",

+  "required": ["version", "defaults", "entrypoints", "jumps", "groups"],

+  "additionalProperties": false,

+  "properties": {

+    "version": { "const": 1 },

+    "facts": { "type": "object" },

+    "ssh_options": {

+      "type": "object",

+      "additionalProperties": {

+        "type": "object",

+        "required": ["options"],

+        "additionalProperties": false,

+        "properties": {

+          "description": { "type": "string" },

+          "options": {

+            "type": "object",

+            "additionalProperties": {

+              "anyOf": [

+                { "type": "string" },

+                { "type": "integer" },

+                { "type": "boolean" }

+              ]

+            }

+          }

+        }

+      }

+    },

+    "company_managed": {

+      "type": "object",

+      "additionalProperties": false,

+      "properties": {

+        "jump_hosts": {

+          "type": "object",

+          "additionalProperties": false,

+          "properties": {

+            "inherit_globals_on_targets": {

+              "type": "array",

+              "items": { "type": "string" }

+            },

+            "match_defaults": {

+              "type": "array",

+              "items": { "$ref": "#/$defs/companyManagedMatch" }

+            }

+          }

+        }

+      }

+    },

+    "defaults": {

+      "type": "object",

+      "required": ["jump", "final_host"],

+      "additionalProperties": false,

+      "properties": {

+        "jump": { "$ref": "#/$defs/defaults" },

+        "final_host": { "$ref": "#/$defs/defaults" }

+      }

+    },

+    "entrypoints": {

+      "type": "object",

+      "additionalProperties": { "$ref": "#/$defs/host" }

+    },

+    "jumps": {

+      "type": "object",

+      "additionalProperties": {

+        "allOf": [

+          { "$ref": "#/$defs/host" },

+          {

+            "type": "object",

+            "properties": {

+              "role": { "type": "string" }

+            }

+          }

+        ]

+      }

+    },

+    "groups": {

+      "type": "object",

+      "additionalProperties": {

+        "type": "object",

+        "required": ["hosts"],

+        "additionalProperties": false,

+        "properties": {

+          "description": { "type": "string" },

+          "default_jump": { "type": "string" },

+          "defaults": { "$ref": "#/$defs/defaults" },

+          "patterns": {

+            "type": "object",

+            "additionalProperties": { "$ref": "#/$defs/options" }

+          },

+          "hosts": {

+            "type": "object",

+            "additionalProperties": { "$ref": "#/$defs/host" }

+          }

+        }

+      }

+    }

+  },

+  "$defs": {

+    "defaults": {

+      "type": "object",

+      "additionalProperties": false,

+      "properties": {

+        "user": { "type": "string" },

+        "port": { "type": "integer", "minimum": 1, "maximum": 65535 },

+        "connect_timeout": { "type": "integer", "minimum": 1 },

+        "connection_attempts": { "type": "integer", "minimum": 1 },

+        "auth": { "$ref": "#/$defs/auth" }

+      }

+    },

+    "options": {

+      "type": "object",

+      "additionalProperties": false,

+      "properties": {

+        "connect_timeout": { "type": "integer", "minimum": 1 },

+        "connection_attempts": { "type": "integer", "minimum": 1 }

+      }

+    },

+    "companyManagedMatch": {

+      "type": "object",

+      "required": ["patterns"],

+      "additionalProperties": false,

+      "properties": {

+        "patterns": {

+          "type": "array",

+          "minItems": 1,

+          "items": { "type": "string" }

+        },

+        "user": { "type": "string" },

+        "port": { "type": "integer", "minimum": 1, "maximum": 65535 }

+      }

+    },

+    "host": {

+      "type": "object",

+      "required": ["aliases", "hostname"],

+      "additionalProperties": false,

+      "properties": {

+        "aliases": {

+          "type": "array",

+          "minItems": 1,

+          "items": { "type": "string" }

+        },

+        "hostname": { "type": "string" },

+        "user": { "type": "string" },

+        "port": { "type": "integer", "minimum": 1, "maximum": 65535 },

+        "identity_file": { "type": "string" },

+        "identities_only": { "type": "boolean" },

+        "role": { "type": "string" },

+        "auth": { "$ref": "#/$defs/auth" }

+      }

+    },

+    "auth": {

+      "type": "string",

+      "enum": ["key", "password_interactive"]

+    }

+  }

+}

+#!/usr/bin/env bash

+exec /usr/bin/scp -S ~/.local/bin/ssh "$@"

+#!/usr/bin/env bash

+exec /usr/bin/sftp -S ~/.local/bin/ssh "$@"

+#!/usr/bin/env bash

+set -euo pipefail

+

+real_ssh="/usr/bin/ssh"

+ssh_config="$HOME/.ssh/config"

+remote_agent="/run/user/0/gnupg/S.gpg-agent.ssh"

+

+# Access model, May 2026

+# ----------------------

+#

+# Cheia fizica este montata pe is-jumper. Wrapper-ul local nu mai face bridge

+# de agent in /tmp; in schimb ruleaza clientul SSH activ pe is-jumper:

+#

+#     local ssh wrapper

+#       -> is-jumper (192.168.2.100, acces local cu id_ed25519)

+#       -> J1/J2/j1/j2 (autentificare cu agentul fizic de pe is-jumper)

+#       -> ssh final-host

+#

+# Custom jump flags (stripped by wrapper, not passed to real ssh):

+#   -J1  use J1 via VPN (default for configured hosts)

+#   -J2  use J2 via VPN

+#   -j1  use j1 via public DNS (urgente, fara ruta VPN)

+#   -j2  use j2 via public DNS (urgente, fara ruta VPN)

+#

+# Hosturi arbitrare (fara config SSH): wrapper-ul le ruteza prin jump doar daca

+# unul dintre flagurile de mai sus este prezent explicit.

+

+target_user=""

+target_host=""

+target_port=""

+target_auth=""

+found_target=0

+cmd_args=()

+ssh_config_args=()

+jump_alias="j1"

+custom_jump_set=0

+host_configured=1

+target_is_jump=0

+want_subsystem=0

+user_option=""

+port_option=""

+

+has_explicit_config() {

+    local arg

+

+    for arg in "$@"; do

+        case "$arg" in

+            -F|-F*)

+                return 0

+                ;;

+        esac

+    done

+

+    return 1

+}

+

+quote_cmd() {

+    local out="" q part

+

+    for part in "$@"; do

+        printf -v q "%q" "$part"

+        out+="$q "

+    done

+

+    printf "%s" "$out"

+}

+

+resolve_ssh_config() {

+    local target=$1

+    local line

+

+    target_user=""

+    target_host=""

+    target_port=""

+    target_auth=""

+

+    while IFS= read -r line; do

+        case "$line" in

+            user\ *)     target_user=${line#user } ;;

+            hostname\ *) target_host=${line#hostname } ;;

+            port\ *)     target_port=${line#port } ;;

+            setenv\ *NG_SSH_AUTH=password-interactive*) target_auth="password_interactive" ;;

+        esac

+    done < <("$real_ssh" ${ssh_config_args[@]+"${ssh_config_args[@]}"} -G "$target" 2>/dev/null)

+

+    [[ -n "$target_user" && -n "$target_host" && -n "$target_port" ]]

+}

+

+run_real_ssh() {

+    exec "$real_ssh" ${ssh_config_args[@]+"${ssh_config_args[@]}"} "$@"

+}

+

+resolve_target_from_config() {

+    local target=$1

+    local default_user=${USER:-${LOGNAME:-}}

+    local user_override=""

+

+    case "$target" in

+        *@*)

+            user_override=${target%@*}

+            target=${target#*@}

+            ;;

+    esac

+

+    case "$target" in

+        is-jumper|192.168.2.100)

+            return 1

+            ;;

+        J1|J2|j1|j2)

+            target_is_jump=1

+            ;;

+    esac

+

+    resolve_ssh_config "$target" || return 1

+

+    if [[ -n "$user_override" ]]; then

+        target_user=$user_override

+    fi

+    if [[ -n "$user_option" ]]; then

+        target_user=$user_option

+    fi

+    if [[ -n "$port_option" ]]; then

+        target_port=$port_option

+    fi

+

+    # Unconfigured host (ssh -G returns defaults): bypass unless a custom jump

+    # was requested explicitly.

+    if [[ "$target_is_jump" -eq 0 && "$target_host" == "$target" && "$target_port" == "22" && "$target_user" == "$default_user" ]]; then

+        [[ $custom_jump_set -eq 0 ]] && return 1

+        host_configured=0

+    fi

+

+    [[ -n "$target_user" && -n "$target_host" && -n "$target_port" ]]

+}

+

+resolve_jump() {

+    local saved_user saved_host saved_port saved_auth

+

+    saved_user=$target_user

+    saved_host=$target_host

+    saved_port=$target_port

+    saved_auth=$target_auth

+

+    resolve_ssh_config "$jump_alias" || {

+        printf "ssh-wrapper: cannot resolve jump alias %s\n" "$jump_alias" >&2

+        exit 255

+    }

+

+    jump_user=$target_user

+    jump_host=$target_host

+    jump_port=$target_port

+

+    target_user=$saved_user

+    target_host=$saved_host

+    target_port=$saved_port

+    target_auth=$saved_auth

+}

+

+# Pre-process: extract custom jump flags and strip them from args.

+filtered_args=()

+for arg in "$@"; do

+    case "$arg" in

+        -J1) jump_alias="j1"; custom_jump_set=1 ;;

+        -J2) jump_alias="j2"; custom_jump_set=1 ;;

+        -j1) jump_alias="j1"; custom_jump_set=1 ;;

+        -j2) jump_alias="j2"; custom_jump_set=1 ;;

+        *) filtered_args+=("$arg") ;;

+    esac

+done

+set -- "${filtered_args[@]+"${filtered_args[@]}"}"

+

+if [[ -f "$ssh_config" ]] && ! has_explicit_config "$@"; then

+    ssh_config_args=(-F "$ssh_config")

+fi

+

+skip_next=0

+capture_user=0

+capture_port=0

+after_double_dash=0

+

+for arg in "$@"; do

+    if [[ $found_target -eq 1 ]]; then

+        cmd_args+=("$arg")

+        continue

+    fi

+

+    if [[ $capture_user -eq 1 ]]; then

+        user_option=$arg

+        capture_user=0

+        continue

+    fi

+

+    if [[ $capture_port -eq 1 ]]; then

+        port_option=$arg

+        capture_port=0

+        continue

+    fi

+

+    if [[ $skip_next -eq 1 ]]; then

+        skip_next=0

+        continue

+    fi

+

+    case "$arg" in

+        -G|-Q|-V|-h|--help)

+            run_real_ssh "$@"

+            ;;

+        --)

+            after_double_dash=1

+            continue

+            ;;

+    esac

+

+    if [[ $after_double_dash -eq 0 ]]; then

+        case "$arg" in

+            -s)

+                want_subsystem=1

+                continue

+                ;;

+            -l)

+                capture_user=1

+                continue

+                ;;

+            -l*)

+                user_option=${arg#-l}

+                continue

+                ;;

+            -p)

+                capture_port=1

+                continue

+                ;;

+            -p*)

+                port_option=${arg#-p}

+                continue

+                ;;

+            -b|-c|-D|-E|-e|-F|-I|-i|-J|-L|-m|-O|-o|-Q|-R|-S|-W|-w)

+                skip_next=1

+                continue

+                ;;

+            -b*|-c*|-D*|-E*|-e*|-F*|-I*|-i*|-J*|-L*|-m*|-O*|-o*|-Q*|-R*|-S*|-W*|-w*)

+                continue

+                ;;

+            -*)

+                continue

+                ;;

+        esac

+    fi

+

+    if ! resolve_target_from_config "$arg"; then

+        run_real_ssh "$@"

+    fi

+

+    found_target=1

+done

+

+if [[ $found_target -eq 0 ]]; then

+    run_real_ssh "$@"

+fi

+

+tty_flag="-tt"

+if [[ ${#cmd_args[@]} -gt 0 || $want_subsystem -eq 1 ]]; then

+    tty_flag="-T"

+fi

+

+if [[ $target_is_jump -eq 1 ]]; then

+    jump_cmd=(ssh "$tty_flag" -A -o BatchMode=yes -o ConnectTimeout=10 -o StrictHostKeyChecking=accept-new -p "$target_port" "$target_user@$target_host")

+    jump_cmd+=(${cmd_args[@]+"${cmd_args[@]}"})

+else

+    resolve_jump

+

+    final_cmd=(ssh "$tty_flag" -o ConnectTimeout=10 -o StrictHostKeyChecking=accept-new -o ProxyJump=none -o ProxyCommand=none)

+    if [[ "$target_auth" == "password_interactive" ]]; then

+        final_cmd+=( -o BatchMode=no -o PreferredAuthentications=keyboard-interactive,password -o PubkeyAuthentication=no )

+    elif [[ $host_configured -eq 1 ]]; then

+        final_cmd+=( -o BatchMode=yes )

+    fi

+    if [[ $want_subsystem -eq 1 ]]; then

+        final_cmd+=( -s )

+    fi

+    final_cmd+=( -p "$target_port" "$target_user@$target_host" )

+    final_cmd+=(${cmd_args[@]+"${cmd_args[@]}"})

+