You can have many matching stanzas in your
When I started writing my
ssh_config, years and years ago, I
basically assumed that how you used it was that you had a '
*' stanza that set defaults and then for each host you might have
a specific '
Host <somehost>' stanza (perhaps with some wildcards
to group several hosts together). This is the world that looks like:
Host * StrictHostKeyChecking no ForwardX11 no Compression on Host github.com IdentityFile /u/cks/.ssh/ids/github
And so on (maybe with a generic identity in the default stanza).
What I have only belatedly and slowly come to understand is
that stanzas in
ssh_config do not have to be used in just
this limited way. Any number of stanzas can match and apply
settings, not just two of them, and you can exploit this to
do interesting things in your
ssh_config, including making
up for a limitation in the pattern matching that
ssh_config manpage says explicitly, the first version
of an option encountered is the one that's used. Right away this
means that you may want to have two '
Host *' stanzas, one at the
start to set options that you never, ever want overridden, and one
at the end with genuine defaults that other entries might want to
override. Of course you can have more '
Host *' stanzas than this;
for example, you could have a separate stanza for experimental
settings (partly to keep them clearly separate, and partly to make
them easy to disable by just changing the '
*' to something that
Another use of multiple stanzas is to make up for an annoying
limitation of the
ssh_config pattern matching. Here's where
I present the setup first and explain it later:
Host *.cs *.cs.toronto.edu [some options] Host * !*.* [the same options]
Here what I really want is a single
Host stanza that applies to
'a hostname with no dots or one in the following (sub)domains'.
Unfortunately the current pattern language has no way of expressing
this directly, so instead I've split it into two stanzas. I have
to repeat the options I'm setting, but this is tolerable if I care
(At this point one might suggest that
be the solution instead. For reasons beyond the scope of this entry
I prefer for ssh to leave this to my system's resolver.)
There are undoubtedly other things one can do with multiple
entries (or multiple
Match entries) once you free yourself from
the shackles of thinking of them only as default settings plus host
specific settings. I know I have to go through my
ssh_config manpage with an eye to what I can do here.