From: Aurelien Jarno <aurelien@aurel32.net>
Date: Wed, 9 Aug 2017 01:12:31 +0000 (+0200)
Subject: sshd_config: remove protocol version 1 specific options
X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=6c9392a8bcffffef973686925f21b3fbec0353ce;p=mirror%2Fdsa-puppet.git

sshd_config: remove protocol version 1 specific options

These options are useless as they only apply to protocol version 1,
while we explicitely force the protocol to version 2. They have started
to fill logs with deprecation warnings on stretch hosts.

Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
---

diff --git a/modules/ssh/templates/sshd_config.erb b/modules/ssh/templates/sshd_config.erb
index d2ad6b37c..b0e690f2d 100644
--- a/modules/ssh/templates/sshd_config.erb
+++ b/modules/ssh/templates/sshd_config.erb
@@ -30,10 +30,6 @@ HostKey /etc/ssh/ssh_host_ed25519_key
 #Privilege Separation is turned on for security
 UsePrivilegeSeparation yes
 
-# Lifetime and size of ephemeral version 1 server key
-KeyRegenerationInterval 3600
-ServerKeyBits 1024
-
 # Logging
 SyslogFacility AUTH
 LogLevel INFO
@@ -43,14 +39,11 @@ LoginGraceTime 120
 PermitRootLogin without-password
 StrictModes yes
 
-RSAAuthentication yes
 PubkeyAuthentication yes
 
 # Don't read the user's ~/.rhosts and ~/.shosts files
 IgnoreRhosts yes
 # For this to work you will also need host keys in /etc/ssh_known_hosts
-RhostsRSAAuthentication no
-# similar for protocol version 2
 HostbasedAuthentication no
 # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
 #IgnoreUserKnownHosts yes