I've been trying to take advantage of CanonicalizeHostname, and run into an issue with its reparsing behavior and vendor-supplied options in system config files. If a system config contains a stanza like this: Host * GSSAPIAuthentication yes ...there's now no way to set "GSSAPIAuthentication no" in any Host sections that only match the canonicalized hostname. I've already found https://bugzilla.mindrot.org/show_bug.cgi?id=2267 and https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-November/033098.html concerning nearly the same problem, but I've got the additional wrinkle that I can't just change the "Host *" to "Match canonical all" and be done with it. (Well, I could, but fixing every instance in every vendor config in perpetuity is fighting a losing battle...) Have I missed some other way around this? CanonicalizeHostname fixes a long-standing consistency headache, but I'm kinda stuck here. -Rob