mirror of
https://gitea.blesmrt.net/mikaela/shell-things.git
synced 2024-12-23 03:02:52 +01:00
Mikaela Suomalainen
e634ee8863
OpenSSH is evil and gives you three not-optimal options to this: A) trust DNSSEC and don't write known_hosts B) ask whether to trust DNS, but don't bother telling me if it's signed C) don't even check SSHFP I see A) as the least evil, but I wish known_hosts was written. Alternatively B) should tell me whether there is DNSSEC or not, not only "matching keys found from DNS" or whatever it says always.
51 lines
1.7 KiB
Plaintext
51 lines
1.7 KiB
Plaintext
# /etc/ssh/ssh_config - at least the Arch default was full of comments
|
|
# so I think it makes more sense if I just paste my normal config here
|
|
# without host specific options.
|
|
|
|
Host *
|
|
# Path for the control socket.
|
|
ControlPath ~/.ssh/sockets/socket-%r@%h:%p
|
|
# Multiple sessions over single connection
|
|
ControlMaster yes
|
|
# Keep connection open in the background even after connection has been
|
|
# closed.
|
|
ControlPersist yes
|
|
|
|
ForwardAgent no
|
|
ForwardX11 no
|
|
|
|
# Ensure KnownHosts are unreadable if leaked.
|
|
HashKnownHosts yes
|
|
|
|
LogLevel VERBOSE
|
|
Protocol 2
|
|
|
|
# Always try public key authentication.
|
|
PubkeyAuthentication yes
|
|
|
|
# Send needed environment variables. I don't like setting wildcards
|
|
# and LC_ALL is disabled on purpouse.
|
|
SendEnv EDITOR LANG LANGUAGE LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT LC_IDENTIFICATION TERM TZ
|
|
|
|
# If the server doesn't reply in three "pings", connection is dead.
|
|
# Defaults to 3 anyway, but I add it here for clearity and
|
|
# in case it decides to change in the future.
|
|
ServerAliveCountMax 3
|
|
|
|
# "ping" the server every minute.
|
|
ServerAliveInterval 60
|
|
|
|
# OpenSSH 6.8+ - ask all host keys from servers.
|
|
# I trust the server admins and ways to identify the keys (DNSSEC,
|
|
# manual).
|
|
UpdateHostKeys yes
|
|
|
|
# Workaround CVE-2016-0777 & CVE-0778 on OpenSSH < 7.1p2
|
|
UseRoaming no
|
|
|
|
# Verify SSHFP records. If this is yes, the question is skipped when
|
|
# DNSSEC is used, but apparently only "ask" and "no" write known_hosts
|
|
# However with "ask" you won't be told whether the zone is signed, so
|
|
# I consider "yes" to be the least evil.
|
|
VerifyHostKeyDNS ask
|