multiple Host entries in ssh_config

Vincent.McIntyre at Vincent.McIntyre at
Wed Sep 28 17:15:24 EST 2005

> Yes, the config keywords are first-match.  Why?  Dunno, but it's been
> that way for a long time.

to clarify, you're saying keywords are first-match-wins-all ?

> It does mean you can use a leading "Host *" block as a global override,
> and a trailing "Host *" as a global default.
> This ought to do what you want:
> 	# match local domain
> 	Host *.my.domain
>          	ForwardX11 yes
> 	# match any other qualified domain
> 	Host *.*
>          	ForwardX11 no
> 	# match remaining (local) hosts
> 	Host *
> 		ForwardX11 yes

In fact it does. I had actually tried this ordering.
I think I was getting thrown off by seeing

  debug1: Applying options for *.*
  debug1: Applying options for *

in the log, which made me think that perhaps last-match-wins applied.

Also I think I had a "ForwardX11Trusted yes" in each stanza as well,
which I had not commented out.

Thanks for the quick reply.
Attached is a suggested patch to ssh_config.5 for the 4.2 release that
I think would help the next person with this problem.
Should I open a bug, or is posting here enough?


-------------- next part --------------
--- ssh_config.5.orig	Wed Sep 28 16:49:53 2005
+++ ssh_config.5	Wed Sep 28 17:12:47 2005
@@ -115,6 +115,22 @@
 .Ar hostname
 argument given on the command line (i.e., the name is not converted to
 a canonicalized host name before matching).
+As noted above, the first value obtained for any particular parameter is
+the one that will be used (first-match-wins). So if you have multiple
+.Cm Host
+statements, put the more specific ones earlier in the config file.
+More than one of these
+.Cm Host
+statements may be matched during
+.Nm ssh
+startup (the matches will be noted in the debug output given by the
+.Nm -v 
+switch for
+.Nm ssh
+), but only the value from the first matching
+.Cm Host
+specification will actually be used.
 .It Cm AddressFamily
 Specifies which address family to use when connecting.
 Valid arguments are

More information about the openssh-unix-dev mailing list