ssh_config

# To use this config as a user, copy it to ~/.ssh/config
# To use this config host-wide, copy it to /etc/ssh/ssh_config
#
# This file is parsed from the most specific to least specific hosts. This is
# the order in which OpenSSH will evaluate it. If multiple configuration values
# match, only the first matched value is used and the remainder is ignored.

host example
    hostname ssh.example.com
    user alice
    IdentityFile ~/.ssh/id_ed25519

host example2
    hostname 1.2.3.4
    user bob
    IdentityFile ~/.1password/agent.sock

host *
    # Prefer public key based authentication over everything else.
    PubkeyAuthentication yes
    PasswordAuthentication no
    ChallengeResponseAuthentication no

    # These algorithms are supported on modern operating systems. If any of
    # these choices do not work, consult your local man page ('man ssh_config')
    # to see your system's support.
    #
    # Note to self: Revisit around ~2024.
    Ciphers aes256-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com,chacha20-poly1305@openssh.com
    KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256
    MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256

    # Prevents minor accidents
    ForwardAgent no
    ForwardX11 no

    # Overwrites default timeout to be something reasonable
    ConnectTimeout 3

    # All SSH connections must be setup separately
    ControlMaster no
    ControlPath none

    # Obfuscate 'known_hosts' entries using SHA1.
    HashKnownHosts yes

    # Prevent disconnects
    TCPKeepAlive yes
    ServerAliveInterval 5
    ServerAliveCountMax 6

    # Support 1Password socket.
    IdentityAgent ~/.1password/agent.sock