== You can have many matching stanzas in your ((ssh_config)) When I started writing my ((ssh_config)), years and years ago, I basically assumed that how you used it was that you had a '_Host *_' stanza that set defaults and then for each host you might have a specific '_Host _' stanza (perhaps with some wildcards to group several hosts together). This is the world that looks like: .pn prewrap on > Host * > StrictHostKeyChecking no > ForwardX11 no > Compression on > > Host github.com > IdentityFile /u/cks/.ssh/ids/github And so on (maybe [[with a generic identity in the default stanza SSHConfigIdentities]]). What I have only belatedly and slowly come to understand is that stanzas in ((ssh_config)) do not have to be used in just this limited way. ~~Any number of stanzas can match and apply settings~~, not just two of them, and you can exploit this to do interesting things in your ((ssh_config)), including making up for a limitation in the pattern matching that _Host_ supports. As the ((ssh_config)) manpage says explicitly, the first version of an option encountered is the one that's used. Right away this means that you may want to have two '_Host *_' stanzas, one at the start to set options that you never, ever want overridden, and one at the end with genuine defaults that other entries might want to override. Of course you can have more '_Host *_' stanzas than this; for example, you could have a separate stanza for experimental settings (partly to keep them clearly separate, and partly to make them easy to disable by just changing the '_*_' to something that won't match). Another use of multiple stanzas is to make up for an annoying limitation of the ((ssh_config)) pattern matching. Here's where I present the setup first and explain it later: > Host *.cs *.cs.toronto.edu > [some options] > > Host * !*.* > [the same options] Here what I really want is a single _Host_ stanza that applies to 'a hostname with no dots or one in the following (sub)domains'. Unfortunately the current pattern language has no way of expressing this directly, so instead I've split it into two stanzas. I have to repeat the options I'm setting, but this is tolerable if I care enough. (At this point one might suggest that _CanonicalizeHostname_ could be the solution instead. For reasons beyond the scope of this entry I prefer for ssh to leave this to my system's resolver.) There are undoubtedly other things one can do with multiple _Host_ entries (or multiple _Match_ entries) once you free yourself from the shackles of thinking of them only as default settings plus host specific settings. I know I have to go through my ((.ssh/config)) and the ((ssh_config)) manpage with an eye to what I can do here.