#	$OpenBSD: ssh_config,v 1.30 2016/02/20 23:06:23 sobrado Exp $

# This is the ssh client system-wide configuration file.  See
# ssh_config(5) for more information.  This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.

# Configuration data is parsed as follows:
#  1. command line options
#  2. user-specific file
#  3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for some commonly used options.  For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.

# Host *
#   ForwardAgent no
#   ForwardX11 no
#   RhostsRSAAuthentication no
#   RSAAuthentication yes
#   PasswordAuthentication yes
#   HostbasedAuthentication no
#   GSSAPIAuthentication no
#   GSSAPIDelegateCredentials no
#   BatchMode no
#   CheckHostIP yes
#   AddressFamily any
#   ConnectTimeout 0
#   StrictHostKeyChecking ask
#   IdentityFile ~/.ssh/identity
#   IdentityFile ~/.ssh/id_rsa
#   IdentityFile ~/.ssh/id_dsa
#   IdentityFile ~/.ssh/id_ecdsa
#   IdentityFile ~/.ssh/id_ed25519
#   Port 22
Protocol 2
#   Cipher 3des

# Specifies the available KEX (Key Exchange) algorithms.
# Multiple algorithms must be comma-separated.
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

# Specifies the ciphers allowed for protocol version 2.  Multiple
# ciphers must be comma-separated.
# The default is to support all including the CBC ciphers.
# JITC requires that CBC ciphers not be supported so they are
# removed while in JITC mode.  This is what is supported in JITC mode
# These ciphers require openSSH to be built with this OPENSSL_HAVE_EVPGCM - we currently don't do this
# so these are not included in the JITC default
# aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se

# Specifies the MACs allowed for protocol version 2.  Multiple
# macs must be comma-separated.
# The default is to support all including the CBC ciphers.
# JITC requires that MD5 96-bit algorithms not be supported so they are
# removed while in JITC mode.  This is what is supported in JITC mode
MACs hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

#   EscapeChar ~
AllowedCertPurpose sslserver

# Specifies supported x509 key algorithms
X509KeyAlgorithm x509v3-sign-rsa,rsa-sha1 
X509KeyAlgorithm x509v3-sign-dss,dss-asn1                                       
X509KeyAlgorithm x509v3-ecdsa-sha2-nistp256,sha256,ecdsa-sha2-nistp256
X509KeyAlgorithm x509v3-ecdsa-sha2-nistp384,sha384,ecdsa-sha2-nistp384
X509KeyAlgorithm x509v3-ecdsa-sha2-nistp521,sha512,ecdsa-sha2-nistp521

# Specifies whether self-issued(self-signed) X.509 certificate can be
# allowed only by entry in AutorizedKeysFile that contain matching
# public key or certificate blob.
#KeyAllowSelfIssued no

# Specifies whether CRL must present in store for all certificates in
# certificate chain with atribute "cRLDistributionPoints"
#MandatoryCRL no

# A file with multiple certificates of certificate signers
# in PEM format concatenated together.
#CACertificateFile /flash0/cert/ca/ca-bundle.crt

# A directory with certificates of certificate signers.
# The certificates should have name of the form: [HASH].[NUMBER]
# or have symbolic links to them of this form.
CACertificatePath /flash0/cert/ca

# A file with multiple CRL of certificate signers
# in PEM format concatenated together.
#CARevocationFile /flash0/cert/ca/ca-bundle.crl

# A directory with CRL of certificate signers.
# The CRL should have name of the form: [HASH].r[NUMBER]
# or have symbolic links to them of this form.
CARevocationPath /flash0/cert/ca

# SSH can use "Online Certificate Status Protocol"(OCSP)
# to validate certificate. Set VAType to
#  - none    : do not use OCSP to validate certificates;
#  - ocspcert: validate only certificates that specify `OCSP
#      Service Locator' URL;
#  - ocspspec: use specified in the configuration 'OCSP Responder'
#      to validate all certificates.
VAType none

# VAOCSPResponderURL ‘Access Location’ / ‘OCSP Service Locator’ URL of the OCSP provider. 
# In use when VAType is set to “ocspspec”.
#VAOCSPResponderURL

HostKeyAlgorithms ssh-dss,ssh-rsa,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521

#PasswordAuthentication no

#   Tunnel no
#   TunnelDevice any:any
#   PermitLocalCommand no
#   VisualHostKey no
#   ProxyCommand ssh -q -W %h:%p gateway.example.com
RekeyLimit 1G 1h
#   GatewayPorts no
