Commit 0f9e72ed authored by Karl Kornel's avatar Karl Kornel
Browse files

ssh::config::sshd: Disable ed25519 by default, for older OSes.

Newer OSes should enable this globally in Hiera.
parent 5c5edd9e
......@@ -41,6 +41,7 @@ made (customizeable parameters are called out):
* Listen on all addresses ('listen_addresses', a comma-separated string).
* Disable SSHv1.
* Only use RSA host keys.
* Ed25519 host keys are not used ('ed25519', a boolean).
* Increase the login timeout to 5 minutes.
* Limit authentication attempts to 5 ('max_tries', an integer).
* On RHEL-type systems, expicitly enable privilege separation.
......@@ -58,7 +59,7 @@ made (customizeable parameters are called out):
For the default SSH client configuration, GSSAPI is enabled, and on RHEL
6+ GSSAPI key-exchange and GSSAPI DNS trust are enabled. That's it.
base::ssh can also be configured to require Duo as a second authentication
factor. To enable this, set the "pam_duo" parameter to true. When you do
that, the following changes are made:
......@@ -30,7 +30,7 @@
define base::ssh::config::sshd(
$ensure = 'present',
$gitolite = false,
$ed25519 = true,
$ed25519 = false,
$hostbased = false,
$pubkey = false,
$password = true,
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment