# This is Karl Kornel's SSH configuration file.  Last update 2015-04-17.
# If you make changes to the stanford.edu or global sections, please let
# Karl know!  Email akkornel@stanford.edu with a diff, and an explanation of
# the changes (and why you made them).

# This file is set up specifically for Debian 7 (wheezy).
# It is online at http://web.stanford.edu/~akkornel/ssh_config.debian-wheezy.txt
# The master version is at http://web.stanford.edu/~akkornel/ssh_config.txt

# WARNING: Before you use this file, replace all instances of "akkornel" with 
# WARNING: your own username.

# The way SSH parses configuration files, once an option has been set, future 
# occurrence of the option will be ignored.  So, put the most global stuff at 
# the very bottom, and the most host-specific stuff at the top.
# Because of this, it's better to read the file from the bottom up.

# Remember, read this file from bottom up!


# We have special configuration for luckdragon and dr, since they are the 
# bastion hosts.
Host luckdragon luckdragon.stanford.edu dr dr.stanford.edu
    # Use port 44 instead of the default
    Port 44

    # Explicitly allow keyboard-interactive authentication for Duo
    KbdInteractiveAuthentication yes
    # Since we are connecting directly to luckdragon/dr, do not proxy!
    ProxyCommand                none

    # Start a SOCKS5 proxy on your local (client) machine.  Good for proxying
    # web and other traffic, when you're not on Stanford's network.
    DynamicForward              localhost:1080


# Some Stanford systems do not need to go through luckdragon
Host blargh.stanford.edu git.stanford.edu
    ProxyCommand                none

# This is Stanford-specific configuration
Host *.stanford.edu *.SUNet
    # Enable GSSAPI (Kerberos) authentication.
    GSSAPIAuthentication        yes
   
    # You could disable all auth methods except for GSSAPI, but that might be 
    # going too far.
    # NOTE: You'll need to keep KrbInteractiveAuthentication turn on for 
    # systems that use two-step authentication.
    #PasswordAuthentication      no
    #PubkeyAuthentication        no
    #KbdInteractiveAuthentication no
    #HostbasedAuthentication     no
    #ChallengeResponseAuthentication no

    # Use GSSAPI key exchange when possible.
    # (If this works, you won't need to explicitly trust many host keys!)
    # WINDOWS: This is not supported at all, so comment it out.
    GSSAPIKeyExchange           yes
    
    # Forward your credentials to the remote side (if possible).
    # (This won't work with non-forwardable root/admin/sunet principals.)
    GSSAPIDelegateCredentials   yes

    # When logging out, destroy the remote Kerberos credentials cache.
    # This setting is not recognized in wheezy.
    # WINDOWS: This might not be supported, so comment it out.
    #GSSAPICleanupCredentials   yes

    # Push updated GSSAPI credentials every time the connection re-keys.
    # This helps keep the remote credentials cache up to date.
    # This setting is not recognized in wheezy.
    # WINDOWS: This might not be supported, so comment it out.
    #GSSAPIStoreCredentialsOnRekey yes

    # Do not use DNS to canonicalize host names into FQDNs.
    # (This setting causes weirdness with Control Master.)
    # WINDOWS: This is not supported at all, so comment it out.
    GSSAPITrustDns              no

    # Only use one TCP connection for all traffic to a host.
    # WARNING!  For this to work you need to have your own directory inside
    # /srv/scratch on the system initiating the connection (your workstation),
    # AND on the bastion host (luckdragon and dr).
    # The permissions on this file are 600, so maybe you could use /tmp.
    # WINDOWS: Change ControlPath to point to /tmp, instead of /srv/scratch.
    # MACOSX: You will also need to change ControlPath.
    ControlMaster               auto
    ControlPath                 /srv/scratch/akkornel/.ssh_cpath_%r@%h:%p

    # Since most hosts are firewalled, send all connections through luckdragon.
    # If luckdragon is down, switch to the second line, to go through dr.
    # WINDOWS: Use the third option, which uses the SecureCRT-created proxy.
    ProxyCommand                ssh -p 44 luckdragon.stanford.edu nc -w 1 %h %p
    #ProxyCommand               ssh -p 44 dr.stanford.edu nc -w 1 %h %p
    #ProxyCommand               nc -X 5 -x 127.0.0.1:1080 %h %p
    

# Set some sane global defaults
Host *
    # To be clear, use SSH version 2 only.
    Protocol 2

    # Set the list of allowed ciphers.
    # We prefer modern stream ciphers over block ciphers, then we prefer larger 
    # key sizes, and then we prefer GCM over CTR over CBC.
    # RC4 is intentionally left out of the list.
    Ciphers                     aes256-ctr,aes256-cbc,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc,cast128-cbc

    # Set the list of allowed key exchange methods.
    # We prefer curve25519-sha256@libssh.org, and also the larger DH groups.
    # We do not allow the NIST P-series curves.
    # GSSAPI key-exchange is turned on separately.
    # Unfortunately, a bug in GSSAPIKeyExchange means we can't use this line!
    # (See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=777549)
    #KexAlgorithms              curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1

    # Set the list of allowed MACs
    # We prefer encrypt-then-mac, and then we prefer larger hash sizes.
    MACs                        hmac-sha2-256,hmac-sha2-512,hmac-sha1

    # If there hasn't been any activity for 4 minutes, send a packet to make 
    # sure the connection is up.  This also keeps the firewall from timing out 
    # our connection.
    ServerAliveInterval         240
    
    # By default, SSH does not forward agent or X11 connections, but be sure.
    ForwardAgent                no
    ForwardX11                  no