sshconfig/config

Include ~/.ssh/yplatform/config.github
Include ~/.ssh/yplatform/config.gitlab
Include ~/.ssh/yplatform/config.sourcehut

IgnoreUnknown UseKeychain

# see https://infosec.mozilla.org/guidelines/openssh#OpenSSH_client#openssh-client
Host *
    HashKnownHosts yes
    # Host keys the client accepts - order here is honored by OpenSSH
    HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256
    KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
    MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
    Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

# see https://stribika.github.io/2015/01/04/secure-secure-shell.html
Host *
    ChallengeResponseAuthentication no
    # Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
    # HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa
    # MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
    PasswordAuthentication no
    PubkeyAuthentication yes
    Protocol 2
    UseRoaming no

# see https://github.com/dolmen/github-keygen
Host *
    ControlMaster auto
    ControlPath /tmp/%r@%h:%p
    # ControlPersist yes
    ControlPersist 60s
    ForwardAgent no
    ForwardX11 no
    LogLevel INFO
    PermitLocalCommand no
    PreferredAuthentications publickey
    PubkeyAuthentication yes
    UseKeychain yes
    UseRoaming no

# misc
Host *
    AddKeysToAgent yes
    IdentityFile ~/.ssh/id_ed25519
    IdentityFile ~/.ssh/id_rsa
    IdentitiesOnly yes
    ServerAliveCountMax 0
    ServerAliveInterval 600
    StrictHostKeyChecking ask
    UpdateHostKeys ask
    VerifyHostKeyDNS yes

Host *.tmate.io
    ControlMaster no
    ControlPath no
    ControlPersist no

# allow one-off ssh login with something else than public keys
Host withpassword
    HostName insert-hostname-here.example.com
    PasswordAuthentication yes
    PreferredAuthentications gssapi-with-mic,hostbased,publickey,keyboard-interactive,password