In ssh config, what does `Match canonical all` mean?

I wanted to use CanonicalizeHostname in my ssh config which would make it possible to add and remove hosts without having to edit the file. Host bastion ProxyJump none Match canonical ProxyJump bastion ForwardAgent yes Host * ForwardAgent no CanonicalizeHostname always CanonicalDomains mydomain.co.uk CanonicalizeMaxDots 0 CanonicalizeFallbackLocal yes ssh-agent was not being forwarded to any of my servers. If I changed ForwardAgent under Host * to "yes" then it would be forwarded. As ForwardAgent under Match canonical was not being parsed I thought there was a bug and I made a report to OpenSSH (which was deleted). It was explained to me that it was working as intended: > When hostname canonicalisation is enabled, the configuration is parsed > twice. An initial pass to collect options and then a second pass after > the hostnames are finalised. Most configuration options operate as > "first match wins" > > So what's happening here is that, on the first pass, your "Host *" > block is being parsed and the ForwardAgent option is being set to > "no". On the subsequent pass, the ForwardAgent directive in the "Match > canonical" block is ignored because it's already set. I can understand that. I knew it was parsed twice with CanonicalizeHostname enabled, but I didn't realise this consequence of that. What I don't understand is the way to avoid that "by only setting the fallback ForwardAgent on the final pass": Host bastion ProxyJump none Match canonical ProxyJump bastion ForwardAgent yes Match all CanonicalizeHostname always CanonicalDomains mydomain.co.uk CanonicalizeMaxDots 0 CanonicalizeFallbackLocal yes Match canonical all ForwardAgent no **My questions:** * How is Match All different to Host *? * What does Match canonical all mean? Why would the canonical hosts be directed to parse that option again when it has already been set for them in a different way? If it was !canonical it would make more sense to me, although seemingly redundant, as in this case the single directive under it has already been set. I have a lot of other options to add, which were mostly under Host * and have nothing to do with CanonicalizeHostname, so I had left them out, but now I don't know where to put them.