From b843d8168b9d17a51e293e3f3c7b8e3ddc6a6fa8 Mon Sep 17 00:00:00 2001 From: Bohdan Kmit Date: Fri, 16 Jan 2015 17:21:10 +0000 Subject: [PATCH] add ed25519 host key type; add AuthenticationMethods option --- openssh/files/sshd_config | 3 ++- pillar.example | 2 ++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/openssh/files/sshd_config b/openssh/files/sshd_config index 4f2b3cb..2985fb3 100644 --- a/openssh/files/sshd_config +++ b/openssh/files/sshd_config @@ -54,7 +54,7 @@ {{ option_default_uncommented('Protocol', 2) }} # HostKeys for protocol version 2 -{{ option_default_uncommented('HostKey', ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_dsa_key', '/etc/ssh/ssh_host_ecdsa_key']) -}} +{{ option_default_uncommented('HostKey', ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_dsa_key', '/etc/ssh/ssh_host_ecdsa_key', '/etc/ssh/ssh_host_ed25519_key']) -}} #Privilege Separation is turned on for security {{ option_default_uncommented('UsePrivilegeSeparation', 'yes') }} @@ -92,6 +92,7 @@ # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) {{ option_default_uncommented('ChallengeResponseAuthentication', 'no') }} +{{ option('AuthenticationMethods', 'publickey,keyboard-interactive') }} # Change to no to disable tunnelled clear text passwords {{ option('PasswordAuthentication', 'yes') }} diff --git a/pillar.example b/pillar.example index c6c6694..264d112 100644 --- a/pillar.example +++ b/pillar.example @@ -5,6 +5,7 @@ sshd_config: - /etc/ssh/ssh_host_rsa_key - /etc/ssh/ssh_host_dsa_key - /etc/ssh/ssh_host_ecdsa_key + - /etc/ssh/ssh_host_ed25519_key UsePrivilegeSeparation: 'yes' KeyRegenerationInterval: 3600 ServerKeyBits: 768 @@ -21,6 +22,7 @@ sshd_config: HostbasedAuthentication: 'no' PermitEmptyPasswords: 'no' ChallengeResponseAuthentication: 'no' + AuthenticationMethods 'publickey,keyboard-interactive' X11Forwarding: 'yes' X11DisplayOffset: 10 PrintMotd: 'no'