# Some options are set even if they are default to prevent /etc/ssh/ssh_config
# from overwriting them.
-# Copyright (C) 2011-2014 Simon Ruderich
+# Copyright (C) 2011-2016 Simon Ruderich
#
# This file is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# ServerAliveInterval 5
+# Options are parsed top-to-bottom, the first matching option is used. Later
+# assignments to the same option are ignored, thanks to anonJD in #openssh on
+# Freenode (2011-05-18 21:40 CEST) for letting me know. Therefore put all
+# affected host specific rules here, before the global rules.
+#
+# For example to change the MACs option for a specific host, use:
+#
+# Host host
+# # Old SSH daemon which needs SHA1 (SHA-512 in case it gets updated).
+# MACs hmac-sha2-512,hmac-sha1
+
+
# Rules for all hosts.
Host *
# [1]: http://cseweb.ucsd.edu/~mihir/papers/oem.html
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-512
# Disable DSA host keys because they are weak (only 1024 bit) and elliptic
-# curves. I don't need certificates, therefore disables those algorithms as
+# curves. I don't need certificates, therefore disable those algorithms as
# well (*-cert-*).
HostKeyAlgorithms ssh-rsa
# sockets are stored in ~/.ssh (by default ControlPath is not set). Using %r
# (remote user name) might leak information to other users on the current
# system (e.g. via netstat or lsof).
- ControlPath ~/.ssh/master-%l-%h-%p-%r
+ ControlPath ~/.ssh/master/%l-%h-%p-%r
# Automatically create a new master session if there's none yet or use an
# existing one. This way the user doesn't have to use -M to enable a master
# manually. Don't set this option to "yes" or all SSH commands try to become
# prevents stale master connections.
ControlPersist 10
-# Hash hosts in ~/.ssh/known_hosts to try to conceal the known hosts. Doesn't
-# help if the ssh hosts are stored in the shell's history file or in this file
-# as shortcut.
- HashKnownHosts yes
-
# Don't permit running local commands (default).
PermitLocalCommand no
# Don't send any environment variables (default).
SendEnv
+# Don't hash any hosts in ~/.ssh/known_hosts. It doesn't help if the ssh hosts
+# are stored in the shell's history file or in this file as shortcut so it's
+# rather useless (default).
+ HashKnownHosts no
+
# Check host IP in known_hosts when connecting to detect DNS spoofing
# (default).
CheckHostIP yes
# Ask before adding any host keys to ~/.ssh/known_hosts (default).
StrictHostKeyChecking ask
+# Check host keys from DNS' SSHFP resource records but ask apply
+# StrictHostKeyChecking before trusting them.
+ VerifyHostKeyDNS ask