fix(sshConn): evaluate Match exec blocks and honour ProxyJump=none

pretty resolves ssh_config entries for every target and every jump
host, but the sshconfig.Context passed to the resolver left
Context.Exec unset. The ssh_config library silently evaluates every
'Match host X exec "..."' block as non-matching when Exec is nil, so
directives that pick a reachable jump host dynamically - common in
corporate configs, e.g.

    Match host jump-alias exec "nc -zG 1 primary.example.net 22"
        HostName primary.example.net
    Match host jump-alias exec "nc -zG 1 secondary.example.net 22"
        HostName secondary.example.net

never applied. Their HostName override was skipped, the alias stayed
literal, and the connection failed at DNS resolution with 'no such
host'.

Fix: wire an Exec callback through the resolver.

  - Introduce shellMatchExec: runs the already-token-expanded command
    via /bin/sh -c (cmd.exe /C on Windows), with stdin/stdout/stderr
    detached and a 10s timeout cap so a misbehaving probe can't hang
    the CLI.
  - Expose it via a package-level matchExecFunc var so tests can stub
    exec evaluation deterministically without shelling out. This
    matches the existing stubbing pattern used for connectionFunc /
    sessionFunc.
  - Pass matchExecFunc as Context.Exec from SSHConfigResolver.resolve
    so every host and jump-host resolution benefits without any caller
    changes in cmd/.

Follow-on correctness fix surfaced by the above: once Match exec
starts actually firing, 'Match originalhost "jump-*" ProxyJump none'
patterns produce ProxyJump="none". OpenSSH treats that as an explicit
opt-out that cancels inherited ProxyJump rules, but pretty was parsing
it as a literal jump host named "none" and trying to dial it.
ResolveHost now drops 'none' before calling ParseProxyJump, and
ParseProxyJump also collapses to an empty slice whenever any component
equals "none" (case insensitive), guaranteeing no caller ever sees
the sentinel.

Tests:

  - TestResolveHostMatchExecApplies: first matching exec probe wins
    and its HostName is returned.
  - TestResolveHostMatchExecAllFailKeepsAlias: when every probe fails
    the alias is left unchanged.
  - TestShellMatchExecSucceedsForTrue / FailsForFalse / EmptyCmd: pin
    the default shell callback's semantics on POSIX.
  - TestParseProxyJumpNoneDisablesJumps: covers 'none', 'None', 'NONE',
    and surrounding whitespace.
  - TestResolveHostProxyJumpNoneClearsJumps: end-to-end sanity check
    that a specific-block ProxyJump=none beats a wildcard block and
    results in zero jumps.

No changes required in ncode/ssh_config: it already parses Match exec
and expands %-tokens correctly; it just needs the caller to provide a
runtime Exec callback, which is this change.

Author: ncode

internal/sshConn/config.go

@@ -1,18 +1,64 @@
 package sshConn
 
 import (
+	"context"
 	"errors"
 	"fmt"
 	"os"
+	"os/exec"
 	"os/user"
 	"path/filepath"
+	"runtime"
 	"strconv"
 	"strings"
+	"time"
 
 	sshconfig "github.com/ncode/ssh_config"
 	"golang.org/x/crypto/ssh"
 )
 
+// matchExecTimeout bounds how long a `Match ... exec "..."` probe may run.
+// OpenSSH itself does not impose a timeout, but pretty resolves many hosts in
+// a row (including per-host ProxyJump resolution) so we cap each probe to
+// avoid hanging the CLI if a user's exec command never returns.
+const matchExecTimeout = 10 * time.Second
+
+// matchExecFunc evaluates `Match ... exec "<cmd>"` directives. It is a package
+// variable so tests can substitute a deterministic stub without shelling out.
+// It must return (true, nil) if the command exits with status 0, (false, nil)
+// otherwise, and only return a non-nil error for conditions the caller should
+// surface (currently unused by the resolver because we do not opt into strict
+// mode).
+var matchExecFunc = shellMatchExec
+
+// shellMatchExec runs cmd via the local shell (sh -c / cmd /C on Windows) and
+// reports whether it succeeded. The command has already had its %-tokens
+// expanded by ssh_config before this function is invoked.
+func shellMatchExec(cmd string) (bool, error) {
+	if strings.TrimSpace(cmd) == "" {
+		return false, nil
+	}
+	ctx, cancel := context.WithTimeout(context.Background(), matchExecTimeout)
+	defer cancel()
+
+	var c *exec.Cmd
+	if runtime.GOOS == "windows" {
+		c = exec.CommandContext(ctx, "cmd", "/C", cmd)
+	} else {
+		c = exec.CommandContext(ctx, "/bin/sh", "-c", cmd)
+	}
+	c.Stdin = nil
+	c.Stdout = nil
+	c.Stderr = nil
+
+	if err := c.Run(); err != nil {
+		// Any non-zero exit or failure to launch counts as "did not match",
+		// mirroring OpenSSH's treatment of Match exec probes.
+		return false, nil
+	}
+	return true, nil
+}
+
 type SSHConfigPaths struct {
 	User   string
 	System string
@@ -134,7 +180,10 @@ func (r *SSHConfigResolver) ResolveHost(spec HostSpec, fallbackUser string) (Res
 	if err != nil {
 		return ResolvedHost{}, err
 	}
-	if proxyJump != "" {
+	// OpenSSH treats `ProxyJump none` as an explicit opt-out that cancels
+	// ProxyJump inherited from broader-matching blocks. Skip parsing in that
+	// case so we don't try to dial the literal host "none".
+	if proxyJump != "" && !strings.EqualFold(strings.TrimSpace(proxyJump), "none") {
 		resolved.ProxyJump = ParseProxyJump(proxyJump)
 	}
 
@@ -200,7 +249,18 @@ func (r *SSHConfigResolver) resolve(cfg *sshconfig.Config, alias string) (*sshco
 	if cfg == nil {
 		return nil, nil
 	}
-	ctx := sshconfig.Context{HostArg: alias, OriginalHost: alias, LocalUser: currentUser()}
+	ctx := sshconfig.Context{
+		HostArg:      alias,
+		OriginalHost: alias,
+		LocalUser:    currentUser(),
+		// Providing Exec enables `Match host X exec "..."` blocks to be
+		// evaluated. Without it the library silently treats every exec
+		// predicate as non-matching, which causes directives like
+		//     Match host jump-alias exec "nc -zG 1 primary.example.net 22"
+		//         HostName primary.example.net
+		// to be skipped, leaving the alias unresolvable via DNS.
+		Exec: matchExecFunc,
+	}
 	return cfg.Resolve(ctx)
 }
 
@@ -231,14 +291,22 @@ func expandPath(path string) string {
 	return path
 }
 
+// ParseProxyJump splits a ProxyJump value into individual jump hosts. Empty
+// components are dropped, and the OpenSSH "none" sentinel (which disables
+// ProxyJump) collapses the result to an empty slice so callers never try to
+// dial a literal host named "none".
 func ParseProxyJump(value string) []string {
 	parts := strings.Split(value, ",")
 	jumps := make([]string, 0, len(parts))
 	for _, part := range parts {
 		trimmed := strings.TrimSpace(part)
-		if trimmed != "" {
-			jumps = append(jumps, trimmed)
+		if trimmed == "" {
+			continue
+		}
+		if strings.EqualFold(trimmed, "none") {
+			return nil
 		}
+		jumps = append(jumps, trimmed)
 	}
 	return jumps
 }

internal/sshConn/config_test.go

@@ -10,6 +10,7 @@ import (
 	"os"
 	"path/filepath"
 	"reflect"
+	"runtime"
 	"testing"
 
 	"golang.org/x/crypto/ssh"
@@ -181,6 +182,112 @@ func TestLoadIdentityFilesReturnsErrorForMalformedPrivateKey(t *testing.T) {
 	}
 }
 
+func TestResolveHostMatchExecApplies(t *testing.T) {
+	// Models the production pattern where a jump alias resolves to a concrete
+	// HostName only when the probe command succeeds, e.g.:
+	//   Match host jump-alias exec "nc -zG 1 primary.example.net 22"
+	//       HostName primary.example.net
+	cfg := `Match host jump-alias exec "probe-primary"
+  HostName primary.example.net
+Match host jump-alias exec "probe-secondary"
+  HostName secondary.example.net
+`
+	userCfg := writeTempConfig(t, cfg)
+	resolver, err := LoadSSHConfig(SSHConfigPaths{User: userCfg})
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	var seen []string
+	stubExec(t, func(cmd string) (bool, error) {
+		seen = append(seen, cmd)
+		return cmd == "probe-primary", nil
+	})
+
+	resolved, err := resolver.ResolveHost(HostSpec{Host: "jump-alias"}, "me")
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if resolved.Host != "primary.example.net" {
+		t.Fatalf("expected primary HostName from matching exec block, got %q", resolved.Host)
+	}
+	if len(seen) == 0 {
+		t.Fatalf("expected exec callback to be invoked, got no calls")
+	}
+}
+
+func TestResolveHostMatchExecAllFailKeepsAlias(t *testing.T) {
+	cfg := `Match host jump-alias exec "probe-primary"
+  HostName primary.example.net
+Match host jump-alias exec "probe-secondary"
+  HostName secondary.example.net
+`
+	userCfg := writeTempConfig(t, cfg)
+	resolver, err := LoadSSHConfig(SSHConfigPaths{User: userCfg})
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	stubExec(t, func(cmd string) (bool, error) { return false, nil })
+
+	resolved, err := resolver.ResolveHost(HostSpec{Host: "jump-alias"}, "me")
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	// With every exec probe failing, no HostName override applies and the
+	// alias stays as-is - this is the same state that previously surfaced as
+	// a DNS "no such host" when wiring was missing entirely.
+	if resolved.Host != "jump-alias" {
+		t.Fatalf("expected alias to remain when all exec probes fail, got %q", resolved.Host)
+	}
+}
+
+func TestShellMatchExecSucceedsForTrue(t *testing.T) {
+	if runtime.GOOS == "windows" {
+		t.Skip("POSIX shell not available on Windows CI images")
+	}
+	ok, err := shellMatchExec("true")
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if !ok {
+		t.Fatal("expected true command to succeed")
+	}
+}
+
+func TestShellMatchExecFailsForFalse(t *testing.T) {
+	if runtime.GOOS == "windows" {
+		t.Skip("POSIX shell not available on Windows CI images")
+	}
+	ok, err := shellMatchExec("false")
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if ok {
+		t.Fatal("expected false command to report non-match")
+	}
+}
+
+func TestShellMatchExecEmptyCmd(t *testing.T) {
+	ok, err := shellMatchExec("   ")
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if ok {
+		t.Fatal("expected empty command to report non-match")
+	}
+}
+
+// stubExec replaces the package-level matchExecFunc for the duration of a test
+// and restores it on cleanup. This keeps Match exec evaluation deterministic
+// without shelling out.
+func stubExec(t *testing.T, fn func(cmd string) (bool, error)) {
+	t.Helper()
+	orig := matchExecFunc
+	matchExecFunc = fn
+	t.Cleanup(func() { matchExecFunc = orig })
+}
+
 func TestClientConfigForCombinedAuth(t *testing.T) {
 	socketPath := startTestAgent(t)
 	t.Setenv("SSH_AUTH_SOCK", socketPath)
@@ -206,6 +313,40 @@ func TestParseProxyJump(t *testing.T) {
 	}
 }
 
+func TestParseProxyJumpNoneDisablesJumps(t *testing.T) {
+	// OpenSSH: `ProxyJump none` cancels any inherited ProxyJump; it must not
+	// be treated as a literal hop.
+	for _, in := range []string{"none", "None", "NONE", "  none  "} {
+		if got := ParseProxyJump(in); len(got) != 0 {
+			t.Fatalf("ParseProxyJump(%q) = %v, want empty", in, got)
+		}
+	}
+}
+
+func TestResolveHostProxyJumpNoneClearsJumps(t *testing.T) {
+	// OpenSSH: first matching directive wins for single-valued options, so
+	// the specific block declaring `ProxyJump none` must come before the
+	// wildcard block that sets a jump. The resolved value must collapse to
+	// no jumps rather than the literal host "none".
+	cfg := `Host solo.internal
+  ProxyJump none
+Host *.internal
+  ProxyJump jump1
+`
+	userCfg := writeTempConfig(t, cfg)
+	resolver, err := LoadSSHConfig(SSHConfigPaths{User: userCfg})
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	resolved, err := resolver.ResolveHost(HostSpec{Host: "solo.internal"}, "me")
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if len(resolved.ProxyJump) != 0 {
+		t.Fatalf("expected no proxy jumps when ProxyJump=none wins, got %v", resolved.ProxyJump)
+	}
+}
+
 func TestResolveProxyJumpSingle(t *testing.T) {
 	cfg := "Host target\n  ProxyJump jump1\n"
 	userCfg := writeTempConfig(t, cfg)