shell-things/etc/ssh/ssh_config

# /etc/ssh/ssh_config - at least the Arch default was full of comments
# so I think it makes more sense if I just paste my normal config here
# without host specific options.

Host *
    # Path for the control socket.
    ControlPath ~/.ssh/sockets/socket-%r@%h:%p
    # Multiple sessions over single connection
    ControlMaster yes
    # Keep connection open in the background even after connection has been
    # closed.
    ControlPersist yes

    ForwardAgent no
    ForwardX11 no

    # Ensure KnownHosts are unreadable if leaked.
    HashKnownHosts yes

    LogLevel VERBOSE
    Protocol 2

    # Always try public key authentication.
    PubkeyAuthentication yes

    # Send needed environment variables. I don't like setting wildcards
    # and LC_ALL is disabled on purpouse.
    SendEnv EDITOR LANG LANGUAGE LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT LC_IDENTIFICATION TERM TZ

    # If the server doesn't reply in three "pings", connection is dead.
    # Defaults to 3 anyway, but I add it here for clearity and
    # in case it decides to change in the future.
    ServerAliveCountMax 3

    # "ping" the server every minute.
    ServerAliveInterval 60

    # OpenSSH 6.8+ - ask all host keys from servers.
    # I trust the server admins and ways to identify the keys (DNSSEC,
    # manual).
    UpdateHostKeys yes

    # Workaround CVE-2016-0777 & CVE-0778 on OpenSSH < 7.1p2
    UseRoaming no

    # Verify SSHFP records. If this is yes, the question is skipped when
    # DNSSEC is used, but apparently only "ask" and "no" write known_hosts
    # However with "ask" you won't be told whether the zone is signed, so
    # I consider "yes" to be the least evil.
    VerifyHostKeyDNS yes
etc/ssh: add ssh_config 2015-09-01 16:48:27 +03:00			`# /etc/ssh/ssh_config - at least the Arch default was full of comments`
			`# so I think it makes more sense if I just paste my normal config here`
			`# without host specific options.`

			`Host *`
ssh_config: fix comments 2015-09-06 08:15:17 +03:00			`# Path for the control socket.`
ssh_config: use more private ControlPath 2018-10-07 20:54:41 +03:00			`ControlPath ~/.ssh/sockets/socket-%r@%h:%p`
etc/ssh: add ssh_config 2015-09-01 16:48:27 +03:00			`# Multiple sessions over single connection`
			`ControlMaster yes`
Revert "ssh_config: controlpersist auto instead of on" This reverts commit 330e8a80ad7bebe175e909842d2d3e70855b952e. I got complaining about bad value 2018-10-11 13:45:31 +03:00			`# Keep connection open in the background even after connection has been`
			`# closed.`
			`ControlPersist yes`
etc/ssh: add ssh_config 2015-09-01 16:48:27 +03:00
			`ForwardAgent no`
			`ForwardX11 no`

			`# Ensure KnownHosts are unreadable if leaked.`
			`HashKnownHosts yes`

			`LogLevel VERBOSE`
			`Protocol 2`

ssh_config: fix comments 2015-09-06 08:15:17 +03:00			`# Always try public key authentication.`
etc/ssh: add ssh_config 2015-09-01 16:48:27 +03:00			`PubkeyAuthentication yes`

ssh: send/accept also TZ TERM 2015-09-12 11:42:44 +03:00			`# Send needed environment variables. I don't like setting wildcards`
			`# and LC_ALL is disabled on purpouse.`
ssh: also send EDITOR 2015-09-12 11:45:42 +03:00			`SendEnv EDITOR LANG LANGUAGE LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT LC_IDENTIFICATION TERM TZ`
ssh_config: SendEnv LANG LC_* 2015-09-05 23:46:00 +03:00
ssh_config: fix comments 2015-09-06 08:15:17 +03:00			`# If the server doesn't reply in three "pings", connection is dead.`
etc/ssh: add ssh_config 2015-09-01 16:48:27 +03:00			`# Defaults to 3 anyway, but I add it here for clearity and`
			`# in case it decides to change in the future.`
			`ServerAliveCountMax 3`

			`# "ping" the server every minute.`
			`ServerAliveInterval 60`

ssh_config: add UpdateHostKeys yes 2015-09-02 08:15:16 +03:00			`# OpenSSH 6.8+ - ask all host keys from servers.`
			`# I trust the server admins and ways to identify the keys (DNSSEC,`
unify the two ssh_config files (fix typos) 2016-01-14 16:59:18 +02:00			`# manual).`
ssh_config: add UpdateHostKeys yes 2015-09-02 08:15:16 +03:00			`UpdateHostKeys yes`

Fix #87 (explain ssh_config UseRoaming no) 2016-01-14 20:37:51 +02:00			`# Workaround CVE-2016-0777 & CVE-0778 on OpenSSH < 7.1p2`
ssh_config: add "UseRoaming no" https://twitter.com/msfriedl/status/687635945642967040 2016-01-14 16:44:27 +02:00			`UseRoaming no`

ssh_config: update comment for VerifyHostKeyDNS OpenSSH is evil and gives you three not-optimal options to this: A) trust DNSSEC and don't write known_hosts B) ask whether to trust DNS, but don't bother telling me if it's signed C) don't even check SSHFP I see A) as the least evil, but I wish known_hosts was written. Alternatively B) should tell me whether there is DNSSEC or not, not only "matching keys found from DNS" or whatever it says always. 2019-05-09 18:44:36 +03:00			`# Verify SSHFP records. If this is yes, the question is skipped when`
			`# DNSSEC is used, but apparently only "ask" and "no" write known_hosts`
			`# However with "ask" you won't be told whether the zone is signed, so`
			`# I consider "yes" to be the least evil.`
VerifyHostKeyByDNS is supposed to be yes fix previous commit, I imagine I changed it by accident. 2019-05-11 00:58:00 +03:00			`VerifyHostKeyDNS yes`