Add some more comments to the sshd_config file

Comment the protocol restriction and the explicit enabling of UsePrivilegeSeparation on Red Hat.

Add some more comments to the sshd_config file
da05689b · Russ Allbery · c74da7f0 · da05689b
Commit da05689b authored 11 years ago by Russ Allbery
--- a/templates/ssh/sshd_config.erb
+++ b/templates/ssh/sshd_config.erb
@@ -16,10 +16,9 @@ ListenAddress <%= address %>
  end
 -%>
 Port 22
+
+# Only support protocol version 2.
 Protocol 2
-<% if operatingsystem == 'RedHat' then -%>
-UsePrivilegeSeparation yes
-<% end -%>

 # Only support RSA keys, not DSA keys.
 HostKey /etc/ssh/ssh_host_rsa_key
@@ -30,6 +29,11 @@ LoginGraceTime 300
 # Prevent attackers from running long password guessing attacks.
 MaxAuthTries <%= max_tries %>

+<% if operatingsystem == 'RedHat' then -%>
+# Some Red Hat systems are old enough that this has to be explicitly enabled.
+UsePrivilegeSeparation yes
+
+<% end -%>
 # Disable all forms of host-based and public key authentication by default,
 # since we use GSS-API (or passwords).
 IgnoreRhosts yes