+# Disable authentication methods I don't use.
+ ChallengeResponseAuthentication no
+ GSSAPIAuthentication no
+ HostbasedAuthentication no
+ KbdInteractiveAuthentication no
+# Only enable those I need.
+ PasswordAuthentication yes
+ PubkeyAuthentication yes
+
+# Use only authentication identity files configured in ~/.ssh/config even if
+# ssh-agent offers more identities.
+ IdentitiesOnly yes
+
+# Bind local forwardings to loopback only. This way no remote hosts can access
+# them (default).
+ GatewayPorts no
+# Abort if not all requested port forwardings can be set up.
+ ExitOnForwardFailure yes
+
+# Allow using -M (ControlMaster) to create a master SSH session which
+# "tunnels" other connections to the same host, thus reducing the number of
+# authentications (which are relatively slow) and TCP connections. The master
+# sockets are stored in ~/.ssh (by default ControlPath is not set). Using %r
+# (remote user name) might leak information to other users on the current
+# system (e.g. via netstat or lsof).