diff --git a/roles/common/tasks/sshd.yml b/roles/common/tasks/sshd.yml
index d33a8a1..136bf95 100644
--- a/roles/common/tasks/sshd.yml
+++ b/roles/common/tasks/sshd.yml
@@ -37,6 +37,17 @@
     mode: "u=rw,g=r,o=r"
   notify: reassemble sshd config
 
+- name: Upload main ssh_config
+  template:
+    src: 0_main.ssh_config
+    dest: "{{ global_ssh_configuration_environment_directory }}/0_main.ssh_config"
+    owner: root
+    group: root
+    mode: "u=rw,g=r,o=r"
+  notify: reassemble ssh config
+  tags:
+    - ssh_config
+
 - name: Collect ssh host keys
   command: "cat /etc/ssh/ssh_host_{{ item | quote }}_key.pub"
   loop: "{{ ssh_host_key_types }}"
diff --git a/roles/common/templates/0_main.ssh_config b/roles/common/templates/0_main.ssh_config
new file mode 100644
index 0000000..a895641
--- /dev/null
+++ b/roles/common/templates/0_main.ssh_config
@@ -0,0 +1,51 @@
+# This is the ssh client system-wide configuration file.  See
+# ssh_config(5) for more information.  This file provides defaults for
+# users, and the values can be changed in per-user configuration files
+# or on the command line.
+
+# Configuration data is parsed as follows:
+#  1. command line options
+#  2. user-specific file
+#  3. system-wide file
+# Any configuration value is only changed the first time it is set.
+# Thus, host-specific definitions should be at the beginning of the
+# configuration file, and defaults at the end.
+
+# Site-wide defaults for some commonly used options.  For a comprehensive
+# list of available options, their meanings and defaults, please see the
+# ssh_config(5) man page.
+
+Host *
+#   ForwardAgent no
+#   ForwardX11 no
+#   ForwardX11Trusted yes
+#   PasswordAuthentication yes
+#   HostbasedAuthentication no
+#   GSSAPIAuthentication no
+#   GSSAPIDelegateCredentials no
+#   GSSAPIKeyExchange no
+#   GSSAPITrustDNS no
+#   BatchMode no
+#   CheckHostIP yes
+#   AddressFamily any
+#   ConnectTimeout 0
+#   StrictHostKeyChecking ask
+#   IdentityFile ~/.ssh/id_rsa
+#   IdentityFile ~/.ssh/id_dsa
+#   IdentityFile ~/.ssh/id_ecdsa
+#   IdentityFile ~/.ssh/id_ed25519
+#   Port 22
+#   Protocol 2
+#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
+#   MACs hmac-md5,hmac-sha1,umac-64@openssh.com
+#   EscapeChar ~
+#   Tunnel no
+#   TunnelDevice any:any
+#   PermitLocalCommand no
+#   VisualHostKey no
+#   ProxyCommand ssh -q -W %h:%p gateway.example.com
+#   RekeyLimit 1G 1h
+    SendEnv LANG LC_*
+    HashKnownHosts yes
+    GSSAPIAuthentication yes
+    VerifyHostKeyDNS yes