Skip to content

Instantly share code, notes, and snippets.

@terrywang
Last active October 13, 2022 20:39
Show Gist options
  • Save terrywang/a4239989b79d34f4160b to your computer and use it in GitHub Desktop.
Save terrywang/a4239989b79d34f4160b to your computer and use it in GitHub Desktop.
Secure Enhanced ~/.ssh/config OpenSSH client per-user configuration file
# User ssh configuration file ~/.ssh/config
# Gist https://gist.github.com/terrywang/3997931
# man ssh_config for more information
# Inspired by the blog post below to fight the NSA
# https://stribika.github.io/2015/01/04/secure-secure-shell.html
# Github needs diffie-hellman-group-exchange-sha1 some of the time but not always
# Host github.com
# KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
Host *
# key exchange algorithms
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
# client authenticaiton
# PasswordAuthentication no
ChallengeResponseAuthentication no
PubkeyAuthentication yes
# host key algorithms the client wants to use in order of preference
HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa
# symmetric ciphers in order of preference
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
# Message Authentication Code algorithms in order of preference for data integrity protection
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
# hmac-ripemd160 MAC removed as OpenSSH 7.6 deprecated it
ServerAliveInterval 30
# Speed up SSH session creation
# by sharing multiple sessions over a single network connection
# reuse already established TCP connection
# ControlMaster auto
# ControlPath ~/.ssh/sockets/%r@%h-%p
# ControlPersist 600
# Disable roaming explicitly anyway for good
# UseRoaming no # Disabled after upgrading to macOS Sierra
VisualHostKey yes
# Ensure KnownHosts are unreadable if leaked
# otherwise it is easier to know which hosts your keys have access to
# HashKnownHosts yes
# macOS Sierra - add passphrases to keychain
UseKeychain yes
# Load keys into ssh-agent
AddKeysToAgent yes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment