Argo Tunnel Short lived cert "One" config for all Servers

Hello everyone.

We started using Cloudflares Argo Tunnel to secure SSH Access to our servers a couple of months ago and are very happy with it. Now we want to take the security to the next level and also use the short lived cert feature (https://developers.cloudflare.com/access/ssh/short-live-cert-server/).

Here is what all of our Admins had in their .ssh/config (Notice the *.. So it applies to all of our servers with one entry in the ssh config) so far (without short lived certs. Access with user “root” and public key auth.):

Host *.<domain>
  ProxyCommand /usr/local/bin/cloudflared access ssh --hostname %h
  ControlMaster auto
  ControlPath  /tmp/ssh-%[email protected]%h:%p
  ControlPersist 600
  User root

Now we have a couple of hundred servers and it would be kind of annoying to add all of the following > 400 times in the .ssh/config file… (It’s the output from “cloudflared access ssh-config --hostname test. --short-lived-cert”)

Host test.<hostname>
  ProxyCommand bash -c '/usr/local/bin/cloudflared access ssh-gen --hostname %h; ssh -tt %[email protected]<hostname> >&2 <&1'

Host cfpipe-test.<hostname>
  HostName test.<hostname>
  ProxyCommand /usr/local/bin/cloudflared access ssh --hostname %h
  IdentityFile ~/.cloudflared/test.<hostname>-cf_key
  CertificateFile ~/.cloudflared/test.<hostname>-cf_key-cert.pub

So I just want to know if it is possible to have “one” config and then be able to connect to all of the servers.

Thanks all.

Best
Rick