X-Git-Url: https://ruderich.org/simon/gitweb/?a=blobdiff_plain;f=ssh_config;h=babd153a0cacd5593a0cba5754dc441fa213a96f;hb=43fc6ae667ca55c4c3e3a3f1dd0881a7c2c117ce;hp=b61298dabfca6f6e428dada37ab71ac34080dad5;hpb=614f9080ac810a2f4c0a5244bca856f3358e625e;p=config%2Fdotfiles.git diff --git a/ssh_config b/ssh_config index b61298d..babd153 100644 --- a/ssh_config +++ b/ssh_config @@ -1,6 +1,9 @@ # SSH configuration file. +# +# Some options are set even if they are default to prevent /etc/ssh/ssh_config +# from overwriting them. -# Copyright (C) 2011-2012 Simon Ruderich +# Copyright (C) 2011-2016 Simon Ruderich # # This file is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -15,26 +18,119 @@ # You should have received a copy of the GNU General Public License # along with this file. If not, see . +# Undocumented (and not very well tested) feature. This drops the connection +# after 5 seconds of inactivity. Thanks to shad0VV in #openssh on Freenode +# (2012-11-04 18:40 CET) for telling me about this undocumented feature. +# +# ServerAliveCountMax 0 +# ServerAliveInterval 5 + + +# Options are parsed top-to-bottom, the first matching option is used. Later +# assignments to the same option are ignored, thanks to anonJD in #openssh on +# Freenode (2011-05-18 21:40 CEST) for letting me know. Therefore put all +# affected host specific rules here, before the global rules. +# +# For example to change the MACs option for a specific host, use: +# +# Host host +# # Old SSH daemon which needs SHA1 (SHA-512 in case it gets updated). +# MACs hmac-sha2-512,hmac-sha1 + # Rules for all hosts. Host * -# Force protocol version 2 which is more secure. +# Force protocol version 2 which is more secure (default). Protocol 2 -# Disable X11 and agent forwarding for security reasons. +# Use stronger algorithms. If some hosts require weaker versions then use Host +# groups to enable them only for those specific machines. + +# Don't use SHA1 and disable elliptic curves whose security regarding the +# parameters is still in debate. + KexAlgorithms diffie-hellman-group-exchange-sha256 +# Use stronger cipher versions. Disable CBC ciphers to prevent (unlikely) +# plaintext recovery attack [1], disable RC4 because it's broken [2]; this +# leaves only AES. No GCM ciphers yet because they are still very new. +# +# [1]: http://www.openssh.com/txt/cbc.adv +# [2]: http://www.schneier.com/blog/archives/2013/03/new_rc4_attack.html + Ciphers aes256-ctr +# Don't use weak MACs like MD5 or SHA1. However strong MACs are not as +# important as strong ciphers because an attacker must be able to break a MAC +# in real time to modify the data in transmit. Prefer "-etm" algorithms which +# use encrypt-then-mac which is more secure than the default encrypt-and-mac +# in SSH [1] (available since 6.2). +# +# [1]: http://cseweb.ucsd.edu/~mihir/papers/oem.html + MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-512 +# Disable DSA host keys because they are weak (only 1024 bit) and elliptic +# curves. I don't need certificates, therefore disables those algorithms as +# well (*-cert-*). + HostKeyAlgorithms ssh-rsa + +# Disable X11 and agent forwarding for security reasons (defaults). ForwardX11 no ForwardAgent no # Don't trust remote X11 clients. If enabled allows bad admins complete access # to local X11! ForwardX11Trusted no -# If -M is used store the control master socket in ~/.ssh. Necessary for -# ControlMaster to work. - ControlPath ~/.ssh/master-%l-%h-%p-%r +# Disable authentication methods I don't use. + ChallengeResponseAuthentication no + GSSAPIAuthentication no + HostbasedAuthentication no + KbdInteractiveAuthentication no +# Only enable those I need. + PasswordAuthentication yes + PubkeyAuthentication yes + +# Use only authentication identity files configured in ~/.ssh/config even if +# ssh-agent offers more identities. + IdentitiesOnly yes -# Don't send any environment variables. +# Bind local forwardings to loopback only. This way no remote hosts can access +# them (default). + GatewayPorts no +# Abort if not all requested port forwardings can be set up. + ExitOnForwardFailure yes + +# Allow using -M (ControlMaster) to create a master SSH session which +# "tunnels" other connections to the same host, thus reducing the number of +# authentications (which are relatively slow) and TCP connections. The master +# sockets are stored in ~/.ssh (by default ControlPath is not set). Using %r +# (remote user name) might leak information to other users on the current +# system (e.g. via netstat or lsof). + ControlPath ~/.ssh/master/%l-%h-%p-%r +# Automatically create a new master session if there's none yet or use an +# existing one. This way the user doesn't have to use -M to enable a master +# manually. Don't set this option to "yes" or all SSH commands try to become +# the master session which is obviously not possible. + ControlMaster auto +# When the connection for a master is closed (e.g. logout of remote shell), +# move the master connection in the background. If there's no other active +# connection using the master, close it after x seconds. This prevents the +# client of the master connection from blocking because it waits for all +# connections using it to terminate which is very annoying. The timeout +# prevents stale master connections. + ControlPersist 10 + +# Don't permit running local commands (default). + PermitLocalCommand no + +# Don't send any environment variables (default). SendEnv -# Ask before adding any host keys to ~/.ssh/known_hosts. +# Don't hash any hosts in ~/.ssh/known_hosts. It doesn't help if the ssh hosts +# are stored in the shell's history file or in this file as shortcut so it's +# rather useless (default). + HashKnownHosts no + +# Check host IP in known_hosts when connecting to detect DNS spoofing +# (default). + CheckHostIP yes +# Ask before adding any host keys to ~/.ssh/known_hosts (default). StrictHostKeyChecking ask +# Don't trust host keys from DNS' SSHFP resource records (default). + VerifyHostKeyDNS no