shell-things/etc/ssh/ssh_config

54 lines
1.9 KiB
Plaintext

# /etc/ssh/ssh_config - at least the Arch default was full of comments
# so I think it makes more sense if I just paste my normal config here
# without host specific options.
Host *
# Path for the control socket.
ControlPath /tmp/SSH_%u-%r.%h.%p
# Multiple sessions over single connection
ControlMaster yes
# Keep connection open in the background even after connection has been
# closed.
ControlPersist yes
ForwardAgent no
ForwardX11 no
# Ensure KnownHosts are unreadable if leaked.
HashKnownHosts yes
LogLevel VERBOSE
Protocol 2
# Always try public key authentication.
PubkeyAuthentication yes
# Send needed environment variables. I don't like setting wildcards
# and LC_ALL is disabled on purpouse.
SendEnv EDITOR LANG LANGUAGE LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT LC_IDENTIFICATION TERM TZ
# If the server doesn't reply in three "pings", connection is dead.
# Defaults to 3 anyway, but I add it here for clearity and
# in case it decides to change in the future.
ServerAliveCountMax 3
# "ping" the server every minute.
ServerAliveInterval 60
# OpenSSH 6.8+ - ask all host keys from servers.
# I trust the server admins and ways to identify the keys (DNSSEC,
# manual).
UpdateHostKeys yes
# Add undocumented "UseRoaming no" to ssh_config or use
# "-oUseRoaming=no" to prevent upcoming #openssh client bug
# CVE-2016-0777. More later.
# ~~ https://twitter.com/msfriedl/status/687635945642967040
UseRoaming no
# Verify SSHFP records. In case DNSSEC is used this skips the
# question on whether you trust the fingerprint or not.
# All my hosts run DNSSEC validating Unbound on localhost and use it
# for all DNS queries. Yours should too.
VerifyHostKeyDNS yes