DEV.co
Open-Source DevOps · moul

assh

assh is a Go-based SSH wrapper that enhances OpenSSH with regex pattern matching, host aliases, gateway/proxy chaining, and YAML configuration management. It transparently integrates with standard SSH tools (scp, rsync, git) and automatically regenerates SSH config files.

Source: GitHub — github.com/moul/assh
3.2k
GitHub stars
161
Forks
Go
Primary language
MIT
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositorymoul/assh
Ownermoul
Primary languageGo
LicenseMIT — OSI-approved
Stars3.2k
Forks161
Open issues104
Latest releasev2.17.2 (2026-05-12)
Last updated2026-07-07
Sourcehttps://github.com/moul/assh

What assh is

assh acts as a ProxyCommand wrapper that preprocesses SSH configurations with support for host templates, variable expansion, dynamic hostname resolution, and multi-hop gateway chains with automatic fallback. It uses netcat or socat for raw TCP connections and provides Golang template-based hooks (BeforeConnect, OnConnect, OnConnectError, OnDisconnect) for lifecycle events.

Quickstart

Get the assh source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/moul/assh.gitcd assh# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Complex multi-hop SSH environments

Organizations with nested firewall zones or bastion hosts can define gateway chains (hostA → hostB → hostC) in simple YAML rather than nested ProxyCommand strings.

DevOps automation at scale

Teams managing hundreds of hosts can use regex patterns, inheritance, and templates to reduce SSH config duplication and apply consistent policies across environments.

Seamless tool integration

Works transparently with git, rsync, scp, and IDE SSH integrations (Tower, Atom.io) without requiring per-tool configuration changes.

Implementation considerations

  • assh auto-regenerates ~/.ssh/config on each run; teams must document this behavior to avoid config conflicts or unexpected overwrites in collaborative environments.
  • Gateway fallback timing (GatewayConnectTimeout) requires tuning per network; misconfiguration can cause slow SSH failures if primary gateway is unreachable.
  • Requires Go runtime for builds or pre-compiled binary installation; CI/CD pipelines must account for assh dependency management.
  • Hooks execute arbitrary Golang templates; untrusted config files could pose injection risks if sourced from non-vetted locations.
  • Rate limiting (per-host or global) may interfere with automation tooling that makes rapid concurrent SSH connections.

When to avoid it — and what to weigh

  • OpenSSH native features sufficient — If your setup uses only OpenSSH 7.3+ (which has native config includes) and simple ProxyJump, assh adds unnecessary middleware complexity.
  • Minimal SSH infrastructure — Small teams with few hosts and straightforward networking may find native SSH config more maintainable than learning assh's template and inheritance syntax.
  • Security-first custom tooling required — Organizations needing bespoke SSH authentication hooks, certificate management, or audit logging may require custom integration rather than assh's generic hook model.
  • Windows primary environment — assh is UNIX-centric; Windows users would need WSL or third-party SSH clients, limiting adoption in Windows-first teams.

License & commercial use

MIT License permits unrestricted commercial use, modification, and distribution with attribution required. No restrictions on closed-source derivative works or commercial products.

MIT is a permissive OSI-approved license explicitly allowing commercial use without royalty or notification. No proprietary restrictions. However, no commercial support, SLA, or warranty is stated in the available data; users must rely on community support (104 open issues on GitHub, latest release June 2026).

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityLow
DEV.co fitGood
Assessment confidenceHigh
Security considerations

assh is a local SSH config preprocessor with no remote network exposure. Threat model: (1) YAML config injection from untrusted sources (templates execute Golang code), (2) hook command execution runs with user privileges, (3) ProxyCommand injection if hostname input is not validated. No audit trail or logging of SSH connections by assh itself; relies on OS and OpenSSH logs. Users responsible for securing ~/.assh.yml file permissions (contains hostnames, ports, usernames). No cryptographic key management by assh; delegates to OpenSSH.

Alternatives to consider

OpenSSH 7.3+ native config includes + ProxyJump

Native SSH features support config modularization and simple gateway chaining without external tool; lower operational overhead for basic multi-hop scenarios.

Terraform/Ansible dynamic inventory + cloud-init

For large-scale infrastructure, declarative IaC tools with built-in host discovery and automated config generation may be preferable to manual YAML templates.

Teleport (HashiCorp) or Boundary

Enterprise identity and access management platforms for SSH that provide centralized authentication, audit logging, and fine-grained RBAC beyond assh's scope.

Software development agency

Build on assh with DEV.co software developers

Evaluate assh for your team if you manage multi-hop SSH environments or need declarative host configuration at scale. Start with a test environment and a small subset of hosts before migrating production configs.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

assh FAQ

Does assh modify or delete my existing SSH keys?
No. assh only generates/regenerates ~/.ssh/config. SSH keys remain untouched. However, assh overwrites ~/.ssh/config on each run; back up custom SSH config before first use if not using assh exclusively.
Can assh work alongside OpenSSH's native ProxyJump?
Not clearly stated. Mixing assh ProxyCommand with native OpenSSH ProxyJump in the same config may cause unpredictable behavior; best practice is to use one approach consistently.
What happens if assh crashes during SSH session?
assh is a transparent wrapper; if it crashes during ProxyCommand invocation, the SSH connection fails. No automatic recovery. Reliability depends on Go runtime stability and network conditions.
Is assh suitable for CI/CD pipelines?
Yes, with caveats: assh must be installed on CI runners, and YAML configs must be version-controlled. Ensure idempotency (assh auto-regen is deterministic). Not suitable if CI requires immutable, pre-generated SSH config.

Custom software development services

Adopting assh is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate open-source devops software in production.

Simplify SSH Management Across Complex Infrastructure

Evaluate assh for your team if you manage multi-hop SSH environments or need declarative host configuration at scale. Start with a test environment and a small subset of hosts before migrating production configs.