# SSH configuration file.
+#
+# Some options are set even if they are default to prevent /etc/ssh/ssh_config
+# from overwriting them.
+
+# Copyright (C) 2011-2013 Simon Ruderich
+#
+# This file is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This file is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this file. If not, see <http://www.gnu.org/licenses/>.
+
+# Undocumented (and not very well tested) feature. This drops the connection
+# after 5 seconds of inactivity. Thanks to shad0VV in #openssh on Freenode
+# (2012-11-04 18:40 CET) for telling me about this undocumented feature.
+#
+# ServerAliveCountMax 0
+# ServerAliveInterval 5
# Rules for all hosts.
Host *
-# Force protocol version 2 which is more secure.
+# Force protocol version 2 which is more secure (default).
Protocol 2
-# Disable X11 and agent forwarding for security reasons.
+# Disable X11 and agent forwarding for security reasons (defaults).
ForwardX11 no
ForwardAgent no
# Don't trust remote X11 clients. If enabled allows bad admins complete access
# to local X11!
ForwardX11Trusted no
-# If -M is used store the control master socket in ~/.ssh. Necessary for
-# ControlMaster to work.
+# Disable authentication methods I don't use.
+ ChallengeResponseAuthentication no
+ GSSAPIAuthentication no
+ HostbasedAuthentication no
+ KbdInteractiveAuthentication no
+# Only enable those I need.
+ PasswordAuthentication yes
+ PubkeyAuthentication yes
+
+# Use only authentication identity files configured in ~/.ssh/config even if
+# ssh-agent offers more identities.
+ IdentitiesOnly yes
+
+# Bind local forwardings to loopback only. This way no remote hosts can access
+# them (default).
+ GatewayPorts no
+# Abort if not all requested port forwardings can be set up.
+ ExitOnForwardFailure yes
+
+# Allow using -M (ControlMaster) to create a master SSH session which
+# "tunnels" other connections to the same host, thus reducing the number of
+# authentications (which are relatively slow) and TCP connections. The master
+# sockets are stored in ~/.ssh (by default ControlPath is not set). Using %r
+# (remote user name) might leak information to other users on the current
+# system (e.g. via netstat or lsof).
ControlPath ~/.ssh/master-%l-%h-%p-%r
+# Automatically create a new master session if there's none yet or use an
+# existing one. This way the user doesn't have to use -M to enable a master
+# manually. Don't set this option to "yes" or all SSH commands try to become
+# the master session which is obviously not possible.
+ ControlMaster auto
+# When the connection for a master is closed (e.g. logout of remote shell),
+# move the master connection in the background. If there's no other active
+# connection using the master, close it after x seconds. This prevents the
+# client of the master connection from blocking because it waits for all
+# connections using it to terminate which is very annoying. The timeout
+# prevents stale master connections.
+ ControlPersist 10
+
+# Hash hosts in ~/.ssh/known_hosts to try to conceal the known hosts. Doesn't
+# help if the ssh hosts are stored in the shell's history file or in this file
+# as shortcut.
+ HashKnownHosts yes
+
+# Don't permit running local commands (default).
+ PermitLocalCommand no
-# Don't send any environment variables.
+# Don't send any environment variables (default).
SendEnv
-# Ask before adding any host keys to ~/.ssh/known_hosts.
+# Check host IP in known_hosts when connecting to detect DNS spoofing
+# (default).
+ CheckHostIP yes
+# Ask before adding any host keys to ~/.ssh/known_hosts (default).
StrictHostKeyChecking ask