From 0f9e72ed1476016fe7b6d6b44b8cab1df9b5b697 Mon Sep 17 00:00:00 2001
From: "A. Karl Kornel" <akkornel@stanford.edu>
Date: Mon, 24 Oct 2016 15:24:18 -0700
Subject: [PATCH] ssh::config::sshd: Disable ed25519 by default, for older
 OSes.

Newer OSes should enable this globally in Hiera.
---
 README.ssh                   | 3 ++-
 manifests/ssh/config/sshd.pp | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/README.ssh b/README.ssh
index 2edf37b..596dd21 100644
--- a/README.ssh
+++ b/README.ssh
@@ -41,6 +41,7 @@ made (customizeable parameters are called out):
 * Listen on all addresses ('listen_addresses', a comma-separated string).
 * Disable SSHv1.
 * Only use RSA host keys.
+* Ed25519 host keys are not used ('ed25519', a boolean).
 * Increase the login timeout to 5 minutes.
 * Limit authentication attempts to 5 ('max_tries', an integer).
 * On RHEL-type systems, expicitly enable privilege separation.
@@ -58,7 +59,7 @@ made (customizeable parameters are called out):
 
 For the default SSH client configuration, GSSAPI is enabled, and on RHEL 
 6+ GSSAPI key-exchange and GSSAPI DNS trust are enabled.  That's it.
-  
+
 base::ssh can also be configured to require Duo as a second authentication 
 factor.  To enable this, set the "pam_duo" parameter to true.  When you do 
 that, the following changes are made:
diff --git a/manifests/ssh/config/sshd.pp b/manifests/ssh/config/sshd.pp
index dbe2f51..4a503d5 100644
--- a/manifests/ssh/config/sshd.pp
+++ b/manifests/ssh/config/sshd.pp
@@ -30,7 +30,7 @@
 define base::ssh::config::sshd(
   $ensure            = 'present',
   $gitolite          = false,
-  $ed25519           = true,
+  $ed25519           = false,
   $hostbased         = false,
   $pubkey            = false,
   $password          = true,
-- 
GitLab