feat: add --no-wildcard flag to coder config-ssh by BobbyHo · Pull Request #26753 · coder/coder · GitHub
Skip to content

feat: add --no-wildcard flag to coder config-ssh#26753

Open
BobbyHo wants to merge 7 commits into
mainfrom
coder-17153-cli
Open

feat: add --no-wildcard flag to coder config-ssh#26753
BobbyHo wants to merge 7 commits into
mainfrom
coder-17153-cli

Conversation

@BobbyHo

@BobbyHo BobbyHo commented Jun 26, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Add --no-wildcard (CODER_CONFIGSSH_NO_WILDCARD) to coder config-ssh that generates an individual Host entry per workspace instead of a single wildcard block (Host *.coder).

The wildcard approach cannot be enumerated by third-party SSH clients, the VS Code Remote-SSH sidebar, or scripts that parse ~/.ssh/config to discover hosts. With --no-wildcard, each workspace gets its own entry so those tools work without Coder-specific extensions.

The flag is persisted in the config section header so re-running without it prompts the user about the option change. Workspaces are fetched with pagination before writing so the diff shows actual hostnames.

Manual testing

Unit tests (no server needed):

go test ./cli/ -run TestSSHConfigOptions_writeToBuffer -v
go test ./cli/ -run TestConfigSSH_NoWildcard -v

End-to-end with a dev server:

  1. Build: go build -o ./coder .
  2. Start dev server in a separate terminal: ./scripts/develop.sh
  3. Log in: ./coder login http://localhost:3000
  4. Create two workspaces
  5. Run both variants into temp files:
./coder config-ssh --no-wildcard --hostname-suffix coder --ssh-config-file /tmp/test-ssh-config --yes
./coder config-ssh --hostname-suffix coder --ssh-config-file /tmp/test-ssh-config-wildcard --yes
diff /tmp/test-ssh-config-wildcard /tmp/test-ssh-config
Output: --no-wildcard 
# ------------START-CODER-----------
# This section is managed by coder. DO NOT EDIT.
#
# You should not hand-edit this section unless you are removing it, all
# changes will be lost when running "coder config-ssh".
#
# Last config-ssh options:
# :hostname-suffix=coder
# :no-wildcard=true
#
Host coder.myworkspace
    ConnectTimeout=0
    StrictHostKeyChecking=no
    UserKnownHostsFile=/dev/null
    LogLevel ERROR
    ProxyCommand <coder> --global-config <config> ssh --stdio --ssh-host-prefix coder. %h

Host coder.myworkspace2
    ConnectTimeout=0
    StrictHostKeyChecking=no
    UserKnownHostsFile=/dev/null
    LogLevel ERROR
    ProxyCommand <coder> --global-config <config> ssh --stdio --ssh-host-prefix coder. %h

Host myworkspace.coder
    ConnectTimeout=0
    StrictHostKeyChecking=no
    UserKnownHostsFile=/dev/null
    LogLevel ERROR

Match host myworkspace.coder !exec "<coder> connect exists %h"
    ProxyCommand <coder> --global-config <config> ssh --stdio --hostname-suffix coder %h

Host myworkspace2.coder
    ConnectTimeout=0
    StrictHostKeyChecking=no
    UserKnownHostsFile=/dev/null
    LogLevel ERROR

Match host myworkspace2.coder !exec "<coder> connect exists %h"
    ProxyCommand <coder> --global-config <config> ssh --stdio --hostname-suffix coder %h
# ------------END-CODER------------
Output: wildcard (default) 
# ------------START-CODER-----------
# This section is managed by coder. DO NOT EDIT.
#
# You should not hand-edit this section unless you are removing it, all
# changes will be lost when running "coder config-ssh".
#
# Last config-ssh options:
# :hostname-suffix=coder
#
Host coder.*
    ConnectTimeout=0
    StrictHostKeyChecking=no
    UserKnownHostsFile=/dev/null
    LogLevel ERROR
    ProxyCommand <coder> --global-config <config> ssh --stdio --ssh-host-prefix coder. %h

Host *.coder
    ConnectTimeout=0
    StrictHostKeyChecking=no
    UserKnownHostsFile=/dev/null
    LogLevel ERROR

Match host *.coder !exec "<coder> connect exists %h"
    ProxyCommand <coder> --global-config <config> ssh --stdio --hostname-suffix coder %h
# ------------END-CODER------------
diff wildcard → --no-wildcard 
8a9
> # :no-wildcard=true
10c11
< Host coder.*
---
> Host coder.myworkspace
17c18
< Host *.coder
---
> Host coder.myworkspace2
21a23
>     ProxyCommand <coder> ssh --stdio --ssh-host-prefix coder. %h
23c25,31
< Match host *.coder !exec "<coder> connect exists %h"
---
> Host myworkspace.coder
>     ConnectTimeout=0
>     StrictHostKeyChecking=no
>     UserKnownHostsFile=/dev/null
>     LogLevel ERROR
>
> Match host myworkspace.coder !exec "<coder> connect exists %h"

Closes #17153 (Phase 1: CLI flag)

@BobbyHo
feat(cli/configssh): add --no-wildcard flag to config-ssh
ed35be0 
Add --no-wildcard (CODER_CONFIGSSH_NO_WILDCARD) to coder config-ssh
that generates an individual Host entry per workspace instead of a
single wildcard block (Host *.coder).

The wildcard approach cannot be enumerated by third-party SSH clients,
the VS Code Remote-SSH sidebar, or scripts that parse ~/.ssh/config to
discover hosts. With --no-wildcard, each workspace gets its own entry
so those tools work without Coder-specific extensions.

The flag is persisted in the config section header so re-running without
it prompts the user about the option change. Workspaces are fetched with
pagination before writing so the diff shows actual hostnames.
@BobbyHo BobbyHo marked this pull request as ready for review June 26, 2026 20:43
@coder-tasks

coder-tasks Bot commented Jun 26, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

@github-actions

github-actions Bot commented Jun 26, 2026

Copy link
Copy Markdown

@BobbyHo BobbyHo changed the title feat(cli/configssh): add --no-wildcard flag to config-ssh feat: add --no-wildcard flag to coder config-ssh Jun 26, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@BobbyHo BobbyHo

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

A flag to NOT use a wildcard in the ssh config

1 participant

@BobbyHo