70 lines
2.7 KiB
Plaintext
70 lines
2.7 KiB
Plaintext
# This is the ssh client system-wide configuration file. See
|
|
# ssh_config(5) for more information. This file provides defaults for
|
|
# users, and the values can be changed in per-user configuration files
|
|
# or on the command line.
|
|
|
|
# Configuration data is parsed as follows:
|
|
# 1. command line options
|
|
# 2. user-specific file
|
|
# 3. system-wide file
|
|
# Any configuration value is only changed the first time it is set.
|
|
# Thus, host-specific definitions should be at the beginning of the
|
|
# configuration file, and defaults at the end.
|
|
|
|
# Site-wide defaults for some commonly used options. For a comprehensive
|
|
# list of available options, their meanings and defaults, please see the
|
|
# ssh_config(5) man page.
|
|
|
|
# some resources on hardening SSH
|
|
# - https://blog.g3rt.nl/upgrade-your-ssh-keys.html
|
|
# - https://stribika.github.io/2015/01/04/secure-secure-shell.html
|
|
# - https://wiki.mozilla.org/Security/Guidelines/OpenSSH#OpenSSH_client
|
|
|
|
Host *
|
|
# ForwardAgent no
|
|
# ForwardX11 no
|
|
# ForwardX11Trusted yes
|
|
# RhostsRSAAuthentication no
|
|
# RSAAuthentication yes
|
|
# PasswordAuthentication yes
|
|
# HostbasedAuthentication no
|
|
# GSSAPIAuthentication no
|
|
# GSSAPIDelegateCredentials no
|
|
# GSSAPIKeyExchange no
|
|
# GSSAPITrustDNS no
|
|
# BatchMode no
|
|
# CheckHostIP yes
|
|
# AddressFamily any
|
|
# ConnectTimeout 0
|
|
# StrictHostKeyChecking ask
|
|
# IdentityFile ~/.ssh/identity
|
|
# IdentityFile ~/.ssh/id_rsa
|
|
# IdentityFile ~/.ssh/id_dsa
|
|
# IdentityFile ~/.ssh/id_ecdsa
|
|
# IdentityFile ~/.ssh/id_ed25519
|
|
# Port 22
|
|
# Protocol 2
|
|
# Cipher 3des
|
|
# Host keys the client accepts - order here is honored by OpenSSH
|
|
HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256
|
|
|
|
# defaults:
|
|
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
|
|
# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
|
|
|
|
# hardened:
|
|
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
|
|
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
|
|
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
|
|
|
# EscapeChar ~
|
|
# Tunnel no
|
|
# TunnelDevice any:any
|
|
# PermitLocalCommand no
|
|
# VisualHostKey no
|
|
# ProxyCommand ssh -q -W %h:%p gateway.example.com
|
|
# RekeyLimit 1G 1h
|
|
SendEnv LANG LC_*
|
|
HashKnownHosts yes
|
|
GSSAPIAuthentication yes
|