types you want to support in your sshd_config.
We use the ssh_version fact to determine the default hostkey types.
Only enable rsa and
ed25519 for ssh versions greater or equal
to 6.5, otherwise enable rsa and dsa.
Some distributions, such as debian, also enable ecdsa as a hostkey
type, but this is a known bad NIST curve, so we do not enable that
by default (thus deviating from the stock sshd config)
$shorewall_source = 'net',
$sshkey_ipaddress = $::ipaddress,
$manage_client = true,
+ $hostkey_type = versioncmp($::ssh_version, '6.5') ? {
+ /(^1|0)/ => [ 'rsa', 'ed25519' ],
+ /-1/ => [ 'rsa', 'dsa' ]
+ }
) {
validate_bool($manage_shorewall)
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
-HostKey /etc/ssh/ssh_host_rsa_key
-#HostKey /etc/ssh/ssh_host_dsa_key
-HostKey /etc/ssh/ssh_host_ecdsa_key
+<% scope.lookupvar('sshd::hostkey_type').to_a.each do |hostkey_type| -%>
+HostKey /etc/ssh/ssh_host_<%=hostkey_type %>_key
+<% end -%>
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
<% end -%>
Protocol 2
# HostKeys for protocol version 2
+<% scope.lookupvar('sshd::hostkey_type').to_a.each do |hostkey_type| -%>
+HostKey /etc/ssh/ssh_host_<%=hostkey_type %>_key
+<% end -%>
+
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
<% end -%>
Protocol 2
# HostKeys for protocol version 2
-HostKey /etc/ssh/ssh_host_rsa_key
-HostKey /etc/ssh/ssh_host_dsa_key
-HostKey /etc/ssh/ssh_host_ecdsa_key
-HostKey /etc/ssh/ssh_host_ed25519_key
+<% scope.lookupvar('sshd::hostkey_type').to_a.each do |hostkey_type| -%>
+HostKey /etc/ssh/ssh_host_<%=hostkey_type %>_key
+<% end -%>
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
<% end -%>
Protocol 2
# HostKeys for protocol version 2
-HostKey /etc/ssh/ssh_host_rsa_key
-HostKey /etc/ssh/ssh_host_dsa_key
-HostKey /etc/ssh/ssh_host_ecdsa_key
-HostKey /etc/ssh/ssh_host_ed25519_key
+<% scope.lookupvar('sshd::hostkey_type').to_a.each do |hostkey_type| -%>
+HostKey /etc/ssh/ssh_host_<%=hostkey_type %>_key
+<% end -%>
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
<% end -%>
Protocol 2
# HostKeys for protocol version 2
-HostKey /etc/ssh/ssh_host_rsa_key
-HostKey /etc/ssh/ssh_host_dsa_key
+<% scope.lookupvar('sshd::hostkey_type').to_a.each do |hostkey_type| -%>
+HostKey /etc/ssh/ssh_host_<%=hostkey_type %>_key
+<% end -%>
+
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
<% end -%>
Protocol 2
# HostKeys for protocol version 2
-HostKey /etc/ssh/ssh_host_rsa_key
-HostKey /etc/ssh/ssh_host_dsa_key
+<% scope.lookupvar('sshd::hostkey_type').to_a.each do |hostkey_type| -%>
+HostKey /etc/ssh/ssh_host_<%=hostkey_type %>_key
+<% end -%>
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
-HostKey /etc/ssh/ssh_host_rsa_key
-HostKey /etc/ssh/ssh_host_dsa_key
+<% scope.lookupvar('sshd::hostkey_type').to_a.each do |hostkey_type| -%>
+HostKey /etc/ssh/ssh_host_<%=hostkey_type %>_key
+<% end -%>
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
<% end -%>
Protocol 2
# HostKeys for protocol version 2
-HostKey /etc/ssh/ssh_host_rsa_key
-HostKey /etc/ssh/ssh_host_dsa_key
+<% scope.lookupvar('sshd::hostkey_type').to_a.each do |hostkey_type| -%>
+HostKey /etc/ssh/ssh_host_<%=hostkey_type %>_key
+<% end -%>
+
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
<% end -%>
Protocol 2
# HostKeys for protocol version 2
-HostKey /etc/ssh/ssh_host_rsa_key
-HostKey /etc/ssh/ssh_host_dsa_key
+<% scope.lookupvar('sshd::hostkey_type').to_a.each do |hostkey_type| -%>
+HostKey /etc/ssh/ssh_host_<%=hostkey_type %>_key
+<% end -%>
+
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
projects / puppet-sshd.git / commitdiff