2015-09-01 15:48:27 +02:00
|
|
|
# /etc/ssh/ssh_config - at least the Arch default was full of comments
|
|
|
|
# so I think it makes more sense if I just paste my normal config here
|
|
|
|
# without host specific options.
|
|
|
|
|
|
|
|
Host *
|
2015-09-06 07:15:17 +02:00
|
|
|
# Path for the control socket.
|
2015-09-01 15:48:27 +02:00
|
|
|
ControlPath /tmp/SSH_%u-%r.%h.%p
|
|
|
|
# Multiple sessions over single connection
|
|
|
|
ControlMaster yes
|
|
|
|
# Keep connection open in the background even after connection has been
|
|
|
|
# closed.
|
|
|
|
ControlPersist yes
|
|
|
|
|
|
|
|
ForwardAgent no
|
|
|
|
ForwardX11 no
|
|
|
|
|
|
|
|
# Ensure KnownHosts are unreadable if leaked.
|
|
|
|
HashKnownHosts yes
|
|
|
|
|
|
|
|
LogLevel VERBOSE
|
|
|
|
Protocol 2
|
|
|
|
|
2015-09-06 07:15:17 +02:00
|
|
|
# Always try public key authentication.
|
2015-09-01 15:48:27 +02:00
|
|
|
PubkeyAuthentication yes
|
|
|
|
|
2015-09-12 10:42:44 +02:00
|
|
|
# Send needed environment variables. I don't like setting wildcards
|
|
|
|
# and LC_ALL is disabled on purpouse.
|
2015-09-12 10:45:42 +02:00
|
|
|
SendEnv EDITOR LANG LANGUAGE LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT LC_IDENTIFICATION TERM TZ
|
2015-09-05 22:46:00 +02:00
|
|
|
|
2015-09-06 07:15:17 +02:00
|
|
|
# If the server doesn't reply in three "pings", connection is dead.
|
2015-09-01 15:48:27 +02:00
|
|
|
# Defaults to 3 anyway, but I add it here for clearity and
|
|
|
|
# in case it decides to change in the future.
|
|
|
|
ServerAliveCountMax 3
|
|
|
|
|
|
|
|
# "ping" the server every minute.
|
|
|
|
ServerAliveInterval 60
|
|
|
|
|
2015-09-02 07:15:16 +02:00
|
|
|
# OpenSSH 6.8+ - ask all host keys from servers.
|
|
|
|
# I trust the server admins and ways to identify the keys (DNSSEC,
|
|
|
|
# manual)
|
|
|
|
UpdateHostKeys yes
|
|
|
|
|
2016-01-14 15:44:27 +01:00
|
|
|
# Add undocumented "UseRoaming no" to ssh_config or use
|
|
|
|
# "-oUseRoaming=no" to prevent upcoming #openssh client bug
|
|
|
|
# CVE-2016-0777. More later.
|
|
|
|
# ~~ https://twitter.com/msfriedl/status/687635945642967040
|
|
|
|
UseRoaming no
|
|
|
|
|
2015-09-01 15:48:27 +02:00
|
|
|
# Verify SSHFP records. In case DNSSEC is used this skips the
|
|
|
|
# question on whether you trust the fingerprint or not.
|
2015-09-02 07:15:16 +02:00
|
|
|
# All my hosts run DNSSEC validating Unbound on localhost and use it
|
|
|
|
# for all DNS queries. Yours should too.
|
|
|
|
VerifyHostKeyDNS yes
|