From da05689bdac4984ccb73e5a22f369a288a3511fc Mon Sep 17 00:00:00 2001
From: Russ Allbery <rra@stanford.edu>
Date: Tue, 13 Aug 2013 14:53:44 -0700
Subject: [PATCH] Add some more comments to the sshd_config file

Comment the protocol restriction and the explicit enabling of
UsePrivilegeSeparation on Red Hat.
---
 templates/ssh/sshd_config.erb | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/templates/ssh/sshd_config.erb b/templates/ssh/sshd_config.erb
index 78b784f..cbf3aa0 100644
--- a/templates/ssh/sshd_config.erb
+++ b/templates/ssh/sshd_config.erb
@@ -16,10 +16,9 @@ ListenAddress <%= address %>
   end
 -%>
 Port 22
+
+# Only support protocol version 2.
 Protocol 2
-<% if operatingsystem == 'RedHat' then -%>
-UsePrivilegeSeparation yes
-<% end -%>
 
 # Only support RSA keys, not DSA keys.
 HostKey /etc/ssh/ssh_host_rsa_key
@@ -30,6 +29,11 @@ LoginGraceTime 300
 # Prevent attackers from running long password guessing attacks.
 MaxAuthTries <%= max_tries %>
 
+<% if operatingsystem == 'RedHat' then -%>
+# Some Red Hat systems are old enough that this has to be explicitly enabled.
+UsePrivilegeSeparation yes
+
+<% end -%>
 # Disable all forms of host-based and public key authentication by default,
 # since we use GSS-API (or passwords).
 IgnoreRhosts yes
-- 
GitLab