SSH Config Wildcard Defaults (Host *)
Configure global SSH defaults using the Host * wildcard block. Set AddKeysToAgent, ServerAliveInterval, and default IdentityFile for all connections.
Best Practices
Detailed Explanation
SSH Config Wildcard Defaults
The Host * block in your SSH config matches all hosts and provides sensible defaults. It should be placed at the end of your config file, as SSH uses the first matching value for each directive.
Recommended Defaults
Host *
AddKeysToAgent yes
IdentitiesOnly yes
ServerAliveInterval 60
ServerAliveCountMax 3
IdentityFile ~/.ssh/id_ed25519
Directive Priority
SSH processes the config file top to bottom and uses the first matching value for each directive. This means:
- Specific Host blocks should come first
- Pattern-based blocks (
Host *.example.com) in the middle Host *at the very end
Example:
# Specific host (checked first)
Host web-server
HostName 10.0.1.10
User deploy
Port 2222
# Pattern match (checked second)
Host *.internal.company.com
User admin
IdentityFile ~/.ssh/id_ed25519_work
# Wildcard defaults (checked last)
Host *
AddKeysToAgent yes
ServerAliveInterval 60
ServerAliveCountMax 3
Recommended Global Settings
| Directive | Value | Purpose |
|---|---|---|
AddKeysToAgent yes |
Caches keys in agent after first use | Avoids repeated passphrase prompts |
ServerAliveInterval 60 |
Sends keepalive every 60 seconds | Prevents idle timeout disconnections |
ServerAliveCountMax 3 |
Allow 3 missed keepalives | Detects dead connections after ~3 minutes |
IdentitiesOnly yes |
Only use configured keys | Prevents key-enumeration issues |
Settings to Avoid in Wildcard
- ForwardAgent yes: Security risk; enable per-host only
- StrictHostKeyChecking no: Disables MITM protection; use per-host only
- Compression yes: Slows fast connections; enable only for slow links
Use Case
Any SSH user who wants consistent, secure defaults across all connections without duplicating configuration in every Host block.