# This works as a /etc/ssh/ssh_config or ~/.ssh/config like how I keep
# using it. Higher option takes priority (keep `Host *` bottom)

# User specific configs
Include ~/.ssh/config.d/*.conf
# Debian includes this
Include /etc/ssh/ssh_config.d/*.conf

Host *
	# Path for the control socket.
	ControlPath ~/.ssh/sockets/socket-%r@%h:%p
	# Multiple sessions over single connection
	ControlMaster yes
	# Keep connection open in the background even after connection has been
	# closed.
	ControlPersist yes

	# SSH Agent forwarding is behind a lot of security breaches, never do it
	# Most recently https://github.com/matrix-org/matrix.org/issues/371
	ForwardAgent no
	# Never do that either https://security.stackexchange.com/a/14817/234532
	ForwardX11 no

	# Debian sets this as yes, upstream no. TODO: What is it?
	#GSSAPIAuthentication yes

	# Ensure KnownHosts are unreadable if leaked.
	HashKnownHosts yes

	LogLevel VERBOSE
	Protocol 2

	# Tor through openbsd netcat (Fedora: netcat)
	#ProxyCommand netcat -X 5 -x localhost:9050 %h %p

	# Always try public key authentication.
	PubkeyAuthentication yes

	# Send needed environment variables. I don't like setting wildcards
	# and LC_ALL is disabled on purpouse.
	SendEnv EDITOR LANG LANGUAGE LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT LC_IDENTIFICATION TERM TZ

	# "ssh will automatically add new host keys to the user's known_hosts file, but will not permit connections to hosts with changed host keys."
	StrictHostKeyChecking accept-new

	# If the server doesn't reply in three "pings", connection is dead.
	# Defaults to 3 anyway, but I add it here for clearity and
	# in case it decides to change in the future.
	ServerAliveCountMax 3

	# "ping" the server every minute.
	ServerAliveInterval 60

	# OpenSSH 6.8+ - ask all host keys from servers.
	# I trust the server admins and ways to identify the keys (DNSSEC,
	# manual).
	UpdateHostKeys yes

	# Verify SSHFP records. If this is yes, the question is skipped when
	# DNSSEC is used, but apparently only "ask" and "no" write known_hosts
	# However with "ask" you won't be told whether the zone is signed, so
	# I consider "yes" to be the least evil.
	VerifyHostKeyDNS yes

	# Display key ascii art on connection. Makes noticing changed keys easier,
	# although it's ambiguous and similar pattern may go past unnoticed.
	VisualHostKey yes