Last active
October 13, 2022 20:39
-
-
Save terrywang/a4239989b79d34f4160b to your computer and use it in GitHub Desktop.
Secure Enhanced ~/.ssh/config OpenSSH client per-user configuration file
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# User ssh configuration file ~/.ssh/config | |
# Gist https://gist.github.com/terrywang/3997931 | |
# man ssh_config for more information | |
# Inspired by the blog post below to fight the NSA | |
# https://stribika.github.io/2015/01/04/secure-secure-shell.html | |
# Github needs diffie-hellman-group-exchange-sha1 some of the time but not always | |
# Host github.com | |
# KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 | |
Host * | |
# key exchange algorithms | |
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 | |
# client authenticaiton | |
# PasswordAuthentication no | |
ChallengeResponseAuthentication no | |
PubkeyAuthentication yes | |
# host key algorithms the client wants to use in order of preference | |
HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa | |
# symmetric ciphers in order of preference | |
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr | |
# Message Authentication Code algorithms in order of preference for data integrity protection | |
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com | |
# hmac-ripemd160 MAC removed as OpenSSH 7.6 deprecated it | |
ServerAliveInterval 30 | |
# Speed up SSH session creation | |
# by sharing multiple sessions over a single network connection | |
# reuse already established TCP connection | |
# ControlMaster auto | |
# ControlPath ~/.ssh/sockets/%r@%h-%p | |
# ControlPersist 600 | |
# Disable roaming explicitly anyway for good | |
# UseRoaming no # Disabled after upgrading to macOS Sierra | |
VisualHostKey yes | |
# Ensure KnownHosts are unreadable if leaked | |
# otherwise it is easier to know which hosts your keys have access to | |
# HashKnownHosts yes | |
# macOS Sierra - add passphrases to keychain | |
UseKeychain yes | |
# Load keys into ssh-agent | |
AddKeysToAgent yes |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment