sshconfig-lint 0.4.0

Linter for OpenSSH client config files
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152

# sshconfig-lint

Lint your `~/.ssh/config` for common mistakes.

Checks for duplicate host blocks, missing identity files, wildcard ordering problems, weak algorithms, duplicate directives, and more. Supports `Include` directives with cycle detection.

https://github.com/user-attachments/assets/4d995679-baed-4f20-9ba8-8f3ec94c64fd

## Install

### Quick install (Linux / macOS)

```bash
curl -fsSL https://raw.githubusercontent.com/Noah4ever/sshconfig-lint/main/install.sh | bash
```

Set `VERSION=v0.1.0` or `INSTALL_DIR=~/.local/bin` to override defaults.

### macOS (Homebrew)
```bash
brew tap Noah4ever/tap
brew install sshconfig-lint
```
optional `untap Noah4ever/tap` to remove the tap and keep the tap list clean

### Cargo

```bash
cargo install sshconfig-lint
```

### AUR
[sshconfig-lint-bin](https://aur.archlinux.org/packages/sshconfig-lint-bin/) - pre-built binaries

```bash
yay -S sshconfig-lint-bin
```
```bash
paru -S sshconfig-lint-bin
```

### Pre-built binaries

Grab a binary from the [releases page](https://github.com/Noah4ever/sshconfig-lint/releases).

## Usage

```bash
# lint the default ~/.ssh/config
sshconfig-lint

# lint a specific file
sshconfig-lint --config /path/to/config

# json output
sshconfig-lint --format json

# treat warnings as errors (useful in CI)
sshconfig-lint --strict

# skip Include resolution
sshconfig-lint --no-includes
```

### Example output

```
line 4: [warning] WILDCARD_ORDER (wildcard-host-order) Host 'github.com' appears after 'Host *' (line 1); it will never match because Host * already matched (hint: move Host * to the end of the file)
line 7: [warning] DUP_HOST (duplicate-host) duplicate Host block 'github.com' (first seen at line 4) (hint: remove one of the duplicate Host blocks)
line 3: [error] MISSING_IDENTITY (identity-file-exists) IdentityFile not found: ~/.ssh/id_missing (hint: check the path or remove the directive)
```

Output is sorted by file and line number so it's deterministic across runs (stable for CI diffs and snapshots).

Errors are red, warnings are yellow, info is cyan. Colors are auto-disabled when stdout isn't a terminal or when `NO_COLOR` is set.

### Exit codes

| Code | Meaning |
|------|---------|
| 0 | Clean, no errors found |
| 1 | At least one error-level finding (or warning with `--strict`) |
| 2 | Config file not found |

## Rules

Each finding has a stable code you can grep for or match on in scripts.

| Code | Rule | Severity | Description |
|------|------|----------|-------------|
| `DUP_HOST` | `duplicate-host` | warning | Two Host blocks with the same pattern |
| `MISSING_IDENTITY` | `identity-file-exists` | error | IdentityFile path doesn't exist |
| `WILDCARD_ORDER` | `wildcard-host-order` | warning | Host * appears before specific patterns |
| `WEAK_ALGO` | `deprecated-weak-algorithms` | warning | Weak or deprecated algorithm (3des-cbc, arcfour, hmac-md5, ssh-dss, etc.) |
| `DUP_DIRECTIVE` | `duplicate-directives` | warning | Same directive repeated in one scope (only first value takes effect) |
| `INSECURE_OPT` | `insecure-option` | warning | Dangerous setting like `StrictHostKeyChecking no` or `ForwardAgent yes` on `Host *` |
| `UNSAFE_CTRL_PATH` | `unsafe-control-path` | warning | ControlPath missing `%h`, `%p`, `%r` (or `%C`) — connections may share a socket |
| `INCLUDE_CYCLE` | `include-cycle` | error | Circular Include chain |
| `INCLUDE_READ` | `include-read` | error | Included file can't be read |
| `INCLUDE_GLOB` | `include-glob` | error | Invalid Include glob pattern |
| `INCLUDE_NO_MATCH` | `include-no-match` | info | Include pattern matched no files |

Findings include a hint when possible, like "move Host * to the end of the file".

## What it handles

- Multiple host patterns (`Host github.com gitlab.com`)
- Multiple include patterns (`Include conf.d/*.conf extra.conf`)
- Inline comments (`IdentityFile ~/.ssh/id # my key`)
- Quoted values (`ProxyCommand "ssh -W %h:%p bastion"`)
- Include resolution with cycle detection

## Development

```bash
cargo test          # run all tests
cargo test --lib    # unit tests only
cargo clippy        # lint
cargo fmt --check   # formatting
```

### Project layout

```
src/
  main.rs        CLI
  lib.rs         Public API (lint_file, lint_str)
  model.rs       AST types
  lexer.rs       Tokenizer
  parser.rs      Builds config AST from tokens
  resolve.rs     Include expansion + cycle detection
  report.rs      Text and JSON formatters
  rules/
    mod.rs       Rule trait and runner
    basic.rs     Built-in rules
tests/
  fixtures/      Sample config files
  cli.rs         CLI integration tests
  integration.rs Fixture-based tests
```

### Adding a rule

1. Implement the `Rule` trait in `src/rules/basic.rs`
2. Register it in `run_all()` in `src/rules/mod.rs`
3. Write tests first, then make them pass

See [CONTRIBUTING.md](CONTRIBUTING.md) for more detail.

## License

MIT