Hosts · 4 min read

Import hosts from ~/.ssh/config

The fastest path for anyone who already SSHes into their boxes from this Mac. Noxen reads your existing SSH config, lists every concrete host, lets you tick the ones to enrol, and copies the referenced keys into the macOS Keychain.

Open the import wizard

+ menu in the sidebar → Import from SSH config… Noxen reads ~/.ssh/config with your user permissions — App Sandbox is disabled (Developer ID distribution only, see why Noxen ships via Developer ID, not MAS) so the file is directly readable. Nothing leaves your Mac during this read; everything is parsed locally with SSHConfigParser.

What gets parsed

Noxen recognises the standard ssh_config(5) directives that matter for connection setup. A typical block:

Host edge-nuc
    HostName     10.0.1.42
    User         paul
    Port         22
    IdentityFile ~/.ssh/noxen_id

Host plex.lan
    HostName     plex.home.arpa
    User         admin
    IdentityFile ~/.ssh/id_ed25519

Both blocks become enrollable hosts. The Host alias becomes the display name; HostName, User, Port map directly. IdentityFile is resolved and the referenced key file is read for Keychain import.

What gets skipped

• Wildcard Host patterns — Host *.home, Host gh-*, Host * — these are config templates, not concrete targets. Skipped silently.
• Hosts that resolve via ProxyJump only — Noxen v1.0 does direct connections; multi-hop SSH lands in v1.1.
• Hosts using unsupported key types — Ed25519 only in v1.0. RSA and ECDSA keys are listed but with a tag indicating they'll be skipped on enrol; v1.1 adds support.
• Hosts with no HostName — the alias is just a shortcut to another alias; resolved transitively where possible, skipped if the chain doesn't terminate.

Pick which to enrol

The wizard shows every concrete host in a table with three columns: alias, hostname/port, identity file. Each row has a checkbox. Tick the hosts you want enrolled; click Enrol N hosts at the bottom. Defaults to everything ticked — un-tick the boxes you don't want monitored. Hosts you skip stay out of Noxen entirely and never get scanned; re-running the import later picks them up if you change your mind.

Where the keys go

For each enrolled host, the referenced IdentityFile is read once, copied into the macOS Keychain under the Noxen app group (group.com.paulsnyman.noxen), and the on-disk key file is left untouched. The scheduled-scan agent reads from the same Keychain entry at 03:00, so nightly scans don't need re-importing.

Keys never leave your Mac. CloudKit sync (if enabled) synchronises the host catalog and findings, but the SSH keys themselves are explicitly excluded — Keychain entries are iCloud-Keychain-mirrorable but Noxen marks the entries non-syncable. See Privacy & data for the full provenance model.

Re-import after editing your config

Add a new host to ~/.ssh/config, run the import again — already-enrolled hosts are matched by alias and skipped, new hosts are surfaced for tick-through. Hosts removed from your SSH config are not automatically removed from Noxen — that'd be an action with real fleet-management consequences and we don't want to silently delete monitored hosts based on an edit you might not have meant. Remove them from the sidebar manually if needed.

Privacy

The import is local-only: the parser runs in-process, no ~/.ssh/config contents are transmitted, and the key files are read once at import time and never re-read after the Keychain entry exists.