``profile::ssh_server``
=======================

This profile configures :manpage:`sshd(8)`.


Parameters
----------

====================  ========  =============================================
**Name**              **Type**  **Default**
--------------------  --------  ---------------------------------------------
enable_public_key     bool      hiera('ssh_server::enable_public_key', true)
enable_gssapi         bool      hiera('ssh_server::enable_gssapi')
permit_root_login     string    hiera('ssh_server::permit_root_login')
trusted_user_ca_keys  list      hiera('ssh_server::trusted_user_ca_keys', [])
user_ca_keys          hash      hiera('ssh_server::user_ca_keys', {})
====================  ========  =============================================

``enable_gssapi``
~~~~~~~~~~~~~~~~~

A boolean determining whether public key authentication is enabled or not for normal users.

Note that ``root`` is still allowed to connect using public key authentication. Here you may block root login with ``ssh_server::permit_root_login`` or restrict from where to allow root login (see bastion hosts ``aaa::bastions`` and ``aaa::use_bastions``).


``enable_gssapi``
~~~~~~~~~~~~~~~~~

A boolean determining whether GSSAPI authentication is enabled or not.


``permit_root_login``
~~~~~~~~~~~~~~~~~~~~~

Sets ``PermitRootLogin`` in the sshd configuration file.


``trusted_user_ca_keys``
~~~~~~~~~~~~~~~~~~~~~~~~

An array containing the user CA keys that will be accepted (as understood by the
``TrustedUserCAKeys`` directive in :manpage:`sshd_config(5)`).


``user_ca_keys``
~~~~~~~~~~~~~~~~

A hash containing the actual keys to be referenced by `trusted_user_ca_keys`_.