Last active
May 3, 2026 05:13
-
-
Save terrywang/a4239989b79d34f4160b to your computer and use it in GitHub Desktop.
Secure Enhanced ~/.ssh/config OpenSSH client per-user configuration file
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # User ssh configuration file ~/.ssh/config | |
| # Gist https://gist.github.com/terrywang/3997931 | |
| # man ssh_config for more information | |
| # Inspired by the blog post below to fight the NSA | |
| # https://stribika.github.io/2015/01/04/secure-secure-shell.html | |
| # Github needs diffie-hellman-group-exchange-sha1 some of the time but not always | |
| Host github.com | |
| HostName github.com | |
| KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group-exchange-sha256 | |
| User git | |
| IdentityFile ~/.ssh/m4max_ed25519 | |
| Host github.com-work | |
| HostName github.com | |
| KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group-exchange-sha256 | |
| User git | |
| IdentityFile ~/.ssh/work_nopass | |
| Host bitbucket.org | |
| KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group-exchange-sha256 | |
| User git | |
| IdentityFile ~/.ssh/id_ed25519_do | |
| Host vbox | |
| HostName localhost | |
| Port 2222 | |
| User terry | |
| IdentityFile ~/.ssh/mule_ed25519 | |
| UserKnownHostsFile /dev/null | |
| StrictHostKeyChecking no | |
| DynamicForward 1080 | |
| LogLevel QUIET | |
| # GatewayPorts yes | |
| #Host Host-needs-proxy-to-access | |
| #ProxyCommand connect -H proxy.terry.im:80 %h %p | |
| #ProxyCommand ssh jumpbox nc %h %p | |
| #ServerAliveInterval 30 | |
| # ms-services ssm connections | |
| Host ssm-pce | |
| ProxyCommand sh -c "aws ssm start-session --target i-02c47b490a692ceec --region ap-southeast-2 --document-name AWS-StartPortForwardingSession --parameters '{\"portNumber\":[\"22\"],\"localPortNumber\":[\"22222\"]}'" | |
| Host ssm-ubuntu | |
| ProxyCommand sh -c "aws ssm start-session --target i-02a77ad6f14b7c53c --region ap-southeast-2 --document-name AWS-StartPortForwardingSession --parameters '{\"portNumber\":[\"22\"],\"localPortNumber\":[\"22222\"]}'" | |
| RequestTTY no | |
| LogLevel QUIET | |
| Host ssm-rdp | |
| ProxyCommand sh -c "aws ssm start-session --target i-031d9f7d853c64d32 --region ap-southeast-2 --document-name AWS-StartPortForwardingSession --parameters '{\"portNumber\":[\"3389\"],\"localPortNumber\":[\"3390\"]}'" | |
| Host dynamic-forwarding | |
| Hostname localhost | |
| User ubuntu | |
| IdentityFile ~/.ssh/mule_ed25519 | |
| Port 22222 | |
| # UserKnownHostsFile /dev/null | |
| DynamicForward 1080 | |
| LogLevel QUIET | |
| Host dyno | |
| Hostname localhost | |
| User ubuntu | |
| IdentityFile ~/.ssh/mule_ed25519 | |
| Port 22222 | |
| UserKnownHostsFile /dev/null | |
| DynamicForward 1080 | |
| Host fedora | |
| Hostname 16.176.206.202 | |
| User fedora | |
| IdentityFile ~/.ssh/terry-services-syd.pem | |
| # --- Global Defaults (catch-all must be last — first match wins per parameter) --- | |
| Host * | |
| # Key exchange: post-quantum hybrid first, then modern curves, then strong DH | |
| KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group-exchange-sha256 | |
| # Host key algorithms: Ed25519 preferred, RSA with SHA-2 as fallback (no sha1 ssh-rsa) | |
| HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256 | |
| # Symmetric ciphers in order of preference | |
| Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr | |
| # MACs: encrypt-then-MAC only (drop non-ETM variants) | |
| MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com | |
| # Authentication | |
| PubkeyAuthentication yes | |
| # KbdInteractiveAuthentication no | |
| # PasswordAuthentication no # let's be honest... | |
| IdentitiesOnly yes | |
| # Connection keepalive | |
| ServerAliveInterval 30 | |
| #ServerAliveCountMax 3 | |
| # Multiplexing: reuse TCP connections for speed | |
| ControlMaster auto | |
| # ControlPath ~/.ssh/sockets/%C | |
| # ControlPersist 600 | |
| # Display ASCII art visualization of host key fingerprint | |
| VisualHostKey yes | |
| # Store hostnames in plaintext for easier management | |
| # Set to 'yes' if you want hashed entries to protect against known_hosts leaks | |
| HashKnownHosts no | |
| # Automatically add keys to ssh-agent | |
| AddKeysToAgent yes | |
| # QoS: low delay for interactive, throughput for bulk | |
| IPQoS lowdelay throughput | |
| # macOS: store passphrases in Keychain | |
| #UseKeychain yes | |
| # key exchange algorithms | |
| # client authenticaiton | |
| # PasswordAuthentication no | |
| # host key algorithms the client wants to use in order of preference | |
| # symmetric ciphers in order of preference | |
| # Message Authentication Code algorithms in order of preference for data integrity protection | |
| # Speed up SSH session creation | |
| # by sharing multiple sessions over a single network connection | |
| # reuse already established TCP connection | |
| # ControlMaster auto | |
| # ControlPath ~/.ssh/sockets/%r@%h-%p | |
| # ControlPersist 600 | |
| # Disable roaming explicitly anyway for good | |
| # Useroaming no # Disabled after upgrading to macOS Sierra | |
| # Ensure KnownHosts are unreadable if leaked | |
| # otherwise it is easier to know which hosts your keys have access to | |
| # macOS Sierra - add passphrases to keychain | |
| # UseKeychain yes | |
| # Load keys into ssh-agent |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment