Commit 0f9e72ed authored by Karl Kornel's avatar Karl Kornel
Browse files

ssh::config::sshd: Disable ed25519 by default, for older OSes.

Newer OSes should enable this globally in Hiera.
parent 5c5edd9e
...@@ -41,6 +41,7 @@ made (customizeable parameters are called out): ...@@ -41,6 +41,7 @@ made (customizeable parameters are called out):
* Listen on all addresses ('listen_addresses', a comma-separated string). * Listen on all addresses ('listen_addresses', a comma-separated string).
* Disable SSHv1. * Disable SSHv1.
* Only use RSA host keys. * Only use RSA host keys.
* Ed25519 host keys are not used ('ed25519', a boolean).
* Increase the login timeout to 5 minutes. * Increase the login timeout to 5 minutes.
* Limit authentication attempts to 5 ('max_tries', an integer). * Limit authentication attempts to 5 ('max_tries', an integer).
* On RHEL-type systems, expicitly enable privilege separation. * On RHEL-type systems, expicitly enable privilege separation.
...@@ -58,7 +59,7 @@ made (customizeable parameters are called out): ...@@ -58,7 +59,7 @@ made (customizeable parameters are called out):
For the default SSH client configuration, GSSAPI is enabled, and on RHEL For the default SSH client configuration, GSSAPI is enabled, and on RHEL
6+ GSSAPI key-exchange and GSSAPI DNS trust are enabled. That's it. 6+ GSSAPI key-exchange and GSSAPI DNS trust are enabled. That's it.
base::ssh can also be configured to require Duo as a second authentication base::ssh can also be configured to require Duo as a second authentication
factor. To enable this, set the "pam_duo" parameter to true. When you do factor. To enable this, set the "pam_duo" parameter to true. When you do
that, the following changes are made: that, the following changes are made:
......
...@@ -30,7 +30,7 @@ ...@@ -30,7 +30,7 @@
define base::ssh::config::sshd( define base::ssh::config::sshd(
$ensure = 'present', $ensure = 'present',
$gitolite = false, $gitolite = false,
$ed25519 = true, $ed25519 = false,
$hostbased = false, $hostbased = false,
$pubkey = false, $pubkey = false,
$password = true, $password = true,
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment