X-Git-Url: https://ruderich.org/simon/gitweb/?a=blobdiff_plain;f=ssh_config;h=09995ab12a8871146ec6a30d4c4586b9b4647b20;hb=363110875986d10c37122e5b430f357520504d8a;hp=a9835c2512f79531e24facb831323c091ebd3ee2;hpb=8ad1d0be07448ea0b215765594a68ee00d4b1d55;p=config%2Fdotfiles.git diff --git a/ssh_config b/ssh_config index a9835c2..09995ab 100644 --- a/ssh_config +++ b/ssh_config @@ -3,7 +3,7 @@ # Some options are set even if they are default to prevent /etc/ssh/ssh_config # from overwriting them. -# Copyright (C) 2011-2014 Simon Ruderich +# Copyright (C) 2011-2016 Simon Ruderich # # This file is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -26,6 +26,18 @@ # ServerAliveInterval 5 +# Options are parsed top-to-bottom, the first matching option is used. Later +# assignments to the same option are ignored, thanks to anonJD in #openssh on +# Freenode (2011-05-18 21:40 CEST) for letting me know. Therefore put all +# affected host specific rules here, before the global rules. +# +# For example to change the MACs option for a specific host, use: +# +# Host host +# # Old SSH daemon which needs SHA1 (SHA-512 in case it gets updated). +# MACs hmac-sha2-512,hmac-sha1 + + # Rules for all hosts. Host * @@ -54,7 +66,7 @@ Host * # [1]: http://cseweb.ucsd.edu/~mihir/papers/oem.html MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-512 # Disable DSA host keys because they are weak (only 1024 bit) and elliptic -# curves. I don't need certificates, therefore disables those algorithms as +# curves. I don't need certificates, therefore disable those algorithms as # well (*-cert-*). HostKeyAlgorithms ssh-rsa @@ -90,7 +102,7 @@ Host * # sockets are stored in ~/.ssh (by default ControlPath is not set). Using %r # (remote user name) might leak information to other users on the current # system (e.g. via netstat or lsof). - ControlPath ~/.ssh/master-%l-%h-%p-%r + ControlPath ~/.ssh/master/%l-%h-%p-%r # Automatically create a new master session if there's none yet or use an # existing one. This way the user doesn't have to use -M to enable a master # manually. Don't set this option to "yes" or all SSH commands try to become @@ -104,21 +116,22 @@ Host * # prevents stale master connections. ControlPersist 10 -# Hash hosts in ~/.ssh/known_hosts to try to conceal the known hosts. Doesn't -# help if the ssh hosts are stored in the shell's history file or in this file -# as shortcut. - HashKnownHosts yes - # Don't permit running local commands (default). PermitLocalCommand no # Don't send any environment variables (default). SendEnv +# Don't hash any hosts in ~/.ssh/known_hosts. It doesn't help if the ssh hosts +# are stored in the shell's history file or in this file as shortcut so it's +# rather useless (default). + HashKnownHosts no + # Check host IP in known_hosts when connecting to detect DNS spoofing # (default). CheckHostIP yes # Ask before adding any host keys to ~/.ssh/known_hosts (default). StrictHostKeyChecking ask -# Don't trust host keys from DNS' SSHFP resource records (default). - VerifyHostKeyDNS no +# Check host keys from DNS' SSHFP resource records but ask apply +# StrictHostKeyChecking before trusting them. + VerifyHostKeyDNS ask