ssh::config::sshd: Disable ed25519 by default, for older OSes.

Newer OSes should enable this globally in Hiera.

ssh::config::sshd: Disable ed25519 by default, for older OSes.
Newer OSes should enable this globally in Hiera.
0f9e72ed · Karl Kornel · 5c5edd9e · 0f9e72ed · 0f9e72ed
Commit 0f9e72ed authored Oct 24, 2016 by Karl Kornel
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 2 deletions

README.ssh README.ssh +2 -1

manifests/ssh/config/sshd.pp manifests/ssh/config/sshd.pp +1 -1

No files found.
--- a/README.ssh
+++ b/README.ssh
@@ -41,6 +41,7 @@ made (customizeable parameters are called out):
 * Listen on all addresses ('listen_addresses', a comma-separated string).
 * Disable SSHv1.
 * Only use RSA host keys.
+* Ed25519 host keys are not used ('ed25519', a boolean).
 * Increase the login timeout to 5 minutes.
 * Limit authentication attempts to 5 ('max_tries', an integer).
 * On RHEL-type systems, expicitly enable privilege separation.
@@ -58,7 +59,7 @@ made (customizeable parameters are called out):

 For the default SSH client configuration, GSSAPI is enabled, and on RHEL 
 6+ GSSAPI key-exchange and GSSAPI DNS trust are enabled.  That's it.
-  
+
 base::ssh can also be configured to require Duo as a second authentication 
 factor.  To enable this, set the "pam_duo" parameter to true.  When you do 
 that, the following changes are made:

--- a/manifests/ssh/config/sshd.pp
+++ b/manifests/ssh/config/sshd.pp
@@ -30,7 +30,7 @@
 define base::ssh::config::sshd(
  $ensure            = 'present',
  $gitolite          = false,
-  $ed25519           = true,
+  $ed25519           = false,
  $hostbased         = false,
  $pubkey            = false,
  $password          = true,