SSH Config File Structure

Intermediate

Standards for ~/.ssh/config organization — section ordering, wildcard placement, required Host * defaults, IdentitiesOnly enforcement, and security-first settings.

File Patterns

**/.ssh/config**/ssh_config

This rule applies to files matching the patterns above.

Rule Content

rule-content.md

# SSH Config File Structure

## Rule
SSH config files MUST have specific hosts before wildcards, include security defaults in Host *, use IdentitiesOnly, and organize by host category.

## Format
```bash
# ~/.ssh/config — Organized in this order:

# ─── Service Hosts ─────────────────────────────────
Host github.com
  HostName github.com
  User git
  IdentityFile ~/.ssh/github_ed25519
  IdentitiesOnly yes

Host gitlab.com
  HostName gitlab.com
  User git
  IdentityFile ~/.ssh/gitlab_ed25519
  IdentitiesOnly yes

# ─── Work Infrastructure ──────────────────────────
Host bastion
  HostName bastion.work.com
  User admin
  IdentityFile ~/.ssh/work_ed25519
  IdentitiesOnly yes

Host work-*
  ProxyJump bastion
  User admin
  IdentityFile ~/.ssh/work_ed25519

# ─── Personal Servers ─────────────────────────────
Host homelab
  HostName 192.168.1.100
  User pi
  IdentityFile ~/.ssh/personal_ed25519

# ─── Default Settings (MUST BE LAST) ──────────────
Host *
  AddKeysToAgent yes
  IdentitiesOnly yes
  ServerAliveInterval 60
  ServerAliveCountMax 3
  ControlMaster auto
  ControlPath ~/.ssh/sockets/%r@%h-%p
  ControlPersist 600
  HashKnownHosts yes
```

## Requirements
1. **Specific hosts before wildcards** — first match wins
2. **IdentitiesOnly yes** — prevents trying all keys
3. **Host * at the bottom** — default settings for all hosts
4. **Section comments** — organize by category
5. **No ForwardAgent in Host *** — only on trusted hosts

## Good
```bash
Host github.com
  IdentityFile ~/.ssh/github_ed25519
  IdentitiesOnly yes
# Specific host, specific key, no other keys tried
```

## Bad
```bash
Host *
  ForwardAgent yes  # DANGEROUS: forwards agent everywhere

Host github.com
  IdentityFile ~/.ssh/github_ed25519
# Wildcard before specific host — settings may conflict
```

FAQ

Discussion

Loading comments...

# SSH Config File Structure ## Rule SSH config files MUST have specific hosts before wildcards, include security defaults in Host *, use IdentitiesOnly, and organize by host category. ## Format ```bash # ~/.ssh/config — Organized in this order: # ─── Service Hosts ───────────────────────────────── Host github.com HostName github.com User git IdentityFile ~/.ssh/github_ed25519 IdentitiesOnly yes Host gitlab.com HostName gitlab.com User git IdentityFile ~/.ssh/gitlab_ed25519 IdentitiesOnly yes # ─── Work Infrastructure ────────────────────────── Host bastion HostName bastion.work.com User admin IdentityFile ~/.ssh/work_ed25519 IdentitiesOnly yes Host work-* ProxyJump bastion User admin IdentityFile ~/.ssh/work_ed25519 # ─── Personal Servers ───────────────────────────── Host homelab HostName 192.168.1.100 User pi IdentityFile ~/.ssh/personal_ed25519 # ─── Default Settings (MUST BE LAST) ────────────── Host * AddKeysToAgent yes IdentitiesOnly yes ServerAliveInterval 60 ServerAliveCountMax 3 ControlMaster auto ControlPath ~/.ssh/sockets/%r@%h-%p ControlPersist 600 HashKnownHosts yes ``` ## Requirements 1. **Specific hosts before wildcards** — first match wins 2. **IdentitiesOnly yes** — prevents trying all keys 3. **Host * at the bottom** — default settings for all hosts 4. **Section comments** — organize by category 5. **No ForwardAgent in Host *** — only on trusted hosts ## Good ```bash Host github.com IdentityFile ~/.ssh/github_ed25519 IdentitiesOnly yes # Specific host, specific key, no other keys tried ``` ## Bad ```bash Host * ForwardAgent yes # DANGEROUS: forwards agent everywhere Host github.com IdentityFile ~/.ssh/github_ed25519 # Wildcard before specific host — settings may conflict ```