From ac2fb6ee4f93b92b0bc30a5ecfcb54566610dfaa Mon Sep 17 00:00:00 2001
From: Adam Seishas <aseishas@stanford.edu>
Date: Mon, 22 Aug 2016 15:05:09 -0700
Subject: [PATCH] ssh::config::sshd: Add parameters to selectively enable
 Ed25519 host keys and/or disable password authentication

---
 manifests/ssh/config/sshd.pp  | 2 ++
 templates/ssh/sshd_config.erb | 7 ++++++-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/manifests/ssh/config/sshd.pp b/manifests/ssh/config/sshd.pp
index a9bf157..dbe2f51 100644
--- a/manifests/ssh/config/sshd.pp
+++ b/manifests/ssh/config/sshd.pp
@@ -30,8 +30,10 @@
 define base::ssh::config::sshd(
   $ensure            = 'present',
   $gitolite          = false,
+  $ed25519           = true,
   $hostbased         = false,
   $pubkey            = false,
+  $password          = true,
   $content           = undef,
   $source            = undef,
   $max_tries         = 5,
diff --git a/templates/ssh/sshd_config.erb b/templates/ssh/sshd_config.erb
index b9cc8c8..c0bcaab 100644
--- a/templates/ssh/sshd_config.erb
+++ b/templates/ssh/sshd_config.erb
@@ -34,6 +34,11 @@ Protocol 2
 # Only support RSA keys, not DSA keys.
 HostKey /etc/ssh/ssh_host_rsa_key
 
+<% if ed25519 then -%>
+# Also support Ed25519 host keys.
+HostKey /etc/ssh/ssh_host_ed25519_key
+
+<% end -%>
 # Increase the login grace period from 120 seconds to 300 seconds (5 minutes).
 LoginGraceTime 300
 
@@ -55,7 +60,7 @@ HostbasedAuthentication <%= hostbased ? 'yes' : 'no' %>
 
 # Allow password authentication via PAM, but not empty passwords.
 ChallengeResponseAuthentication yes
-PasswordAuthentication yes
+PasswordAuthentication <%= password ? 'yes' : 'no' %>
 UsePAM yes
 PermitEmptyPasswords no
 
-- 
GitLab