1 files changed, 29 insertions, 0 deletions

diff --git a/.ssh/config.d/0000-all.conf b/.ssh/config.d/0000-all.conf
new file mode 100644
index 0000000..7a69c2a
--- /dev/null
+++ b/.ssh/config.d/0000-all.conf
@@ -0,0 +1,29 @@
+# vim:syntax=sshconfig:ts=4
+# in case of no ssh-agent:
+#IdentityFile ~/.ssh/id_ed25519
+#IdentityFile ~/.ssh/id_rsa
+# ...place that inside an extra .conf file.
+SendEnv			LANG LC_* MUTTEXEC
+HashKnownHosts	yes
+ForwardAgent	yes
+#ControlMaster	auto
+#ControlPath		/run/user/%i/ssh/cm-%r@%h:%p
+
+# ControlMaster: to use SSH multiplexing with ProxyCommand (e.g. to reach host b through host a)
+# Host b
+#	Hostname b.example.com
+#	ProxyCommand ssh a.example.com -W %h:%p
+#	# controlpath, controlmaster are the same as above
+# 
+# For older SSH daemons: RSA SHA-1 is being quickly deprecated across OSes for various security
+# vulnerabilities. If you need to re-enable that (e.g. for hardware like network devices which are
+# often prone to vulnerabilities due to slow upgrading), you can re-enable this and you SHOULD do
+# this ONLY for specific hosts. (Yes, this ofc also affects clients - which it did on an Arch Linux here.)
+# Also see https://www.openssh.com/txt/release-8.2
+# In any case you should check whether your device understands rsa-sha2-* signature algorithms. While
+# testing this, I found out that "ssh-keygen -trsa" made my keys SHA-1 so far – you might want to change
+# that to "-t rsa-sha2-256" or whatever and check whether you can still connect to the RSA requiring hosts.
+# If you have a proper naming convention for your devices, you can still easily wildcard this. If you
+# don't, you either don't have many devices or you moronically did not think device names through. ;-)
+# Host sophos* *-mik-*
+# 	PubkeyAcceptedKeyTypes +ssh-rsa