# [1]: http://cseweb.ucsd.edu/~mihir/papers/oem.html
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-512
# Disable DSA host keys because they are weak (only 1024 bit) and elliptic
-# curves. I don't need certificates, therefore disables those algorithms as
+# curves. I don't need certificates, therefore disable those algorithms as
# well (*-cert-*).
HostKeyAlgorithms ssh-rsa
# sockets are stored in ~/.ssh (by default ControlPath is not set). Using %r
# (remote user name) might leak information to other users on the current
# system (e.g. via netstat or lsof).
- ControlPath ~/.ssh/master-%l-%h-%p-%r
+ ControlPath ~/.ssh/master/%l-%h-%p-%r
# Automatically create a new master session if there's none yet or use an
# existing one. This way the user doesn't have to use -M to enable a master
# manually. Don't set this option to "yes" or all SSH commands try to become
CheckHostIP yes
# Ask before adding any host keys to ~/.ssh/known_hosts (default).
StrictHostKeyChecking ask
-# Don't trust host keys from DNS' SSHFP resource records (default).
- VerifyHostKeyDNS no
+# Check host keys from DNS' SSHFP resource records but ask apply
+# StrictHostKeyChecking before trusting them.
+ VerifyHostKeyDNS ask