|
4 | 4 | # for the options to be applied properly to the hosts defined in other files. |
5 | 5 | # https://superuser.com/a/1142813 |
6 | 6 |
|
| 7 | +# For documentation on how to configure SSH, please see these pages: |
| 8 | +# https://www.ssh.com/academy/ssh/config |
| 9 | +# https://linux.die.net/man/5/ssh_config |
| 10 | + |
| 11 | +# Use only the keys configured in the SSH config files, even if the SSH agent offers more identities. |
7 | 12 | IdentitiesOnly yes |
8 | 13 |
|
9 | 14 | # Non-Windows systems |
@@ -49,11 +54,40 @@ Match exec "uname -a | grep 'Linux'" |
49 | 54 |
|
50 | 55 | ControlPersist 10m |
51 | 56 |
|
| 57 | +# Ignore the UseKeychain option on non-macOS systems, |
| 58 | +# as it's a custom patch by Apple for OpenSSH on macOS and is not supported on other platforms. |
| 59 | +# https://words.theresnotime.co.uk/2023/ssh-bad-configuration-option-usekeychain/ |
| 60 | +IgnoreUnknown UseKeychain |
| 61 | + |
52 | 62 | Host * |
| 63 | + # Automatically add SSH keys to the agent when needed. |
| 64 | + # This is necessary on macOS to use SSH keys from Apple Keychain. |
| 65 | + # https://bad.network/basic-ssh-keys-part-2-agent-forwarding-adding-keys.html |
| 66 | + AddKeysToAgent yes |
| 67 | + |
53 | 68 | # FIDO2 support for Windows |
54 | 69 | # SecurityKeyProvider winhello.dll |
55 | 70 |
|
56 | 71 | # This prevents connection timeouts |
57 | 72 | ServerAliveInterval 25 |
58 | 73 | # This is already set by default. |
59 | 74 | # ServerAliveCountMax 3 |
| 75 | + |
| 76 | + # Check the host key of the server against the known hosts file, and refuse to connect if it has changed. |
| 77 | + # The default value is "ask". |
| 78 | + # https://www.eukhost.com/kb/how-to-enable-stricthostkeychecking-in-ssh/ |
| 79 | + # StrictHostKeyChecking ask |
| 80 | + |
| 81 | + # Use Apple Keychain on macOS |
| 82 | + # https://apple.stackexchange.com/a/250572 |
| 83 | + # https://blog.fernvenue.com/archives/how-to-use-keychain-for-ssh-on-macos/ |
| 84 | + UseKeychain yes |
| 85 | + |
| 86 | + # Use SSHFP DNS records, if available, to verify the identity of the server. |
| 87 | + # If the DNS record is not signed with DNSSEC or the client does not use DNSSEC, |
| 88 | + # then fall back to the default behavior of asking the user to verify the host key |
| 89 | + # and storing it in the known hosts file. |
| 90 | + # When this is set to "ask", |
| 91 | + # the user will still need to confirm new host keys according to the StrictHostKeyChecking option. |
| 92 | + # https://en.wikipedia.org/wiki/SSHFP_record |
| 93 | + VerifyHostKeyDNS ask |
0 commit comments