From d4e6dba5d477bcb55363ed1f991b261e7f0179c0 Mon Sep 17 00:00:00 2001
From: Kevin Gallagher <kevingallagher@gmail.com>
Date: Thu, 19 Apr 2018 19:57:35 -0700
Subject: [PATCH] Handle a few deprecated OpenSSH options

RhostsRSAAuthentication + RSAAuthentication is deprecated as of 7.4
UsePrivilegeSeparation is deprecated as of 7.5 (the daemon is now
sandboxed on all modern OSes/platforms by default)
---
 CONTRIBUTING.md            | 2 +-
 ansible.cfg                | 2 +-
 templates/openssh.conf.j2  | 3 ++-
 templates/opensshd.conf.j2 | 2 ++
 4 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 783c10f..aa522d2 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -62,7 +62,7 @@ All tests will be reviewed internally for their validity and overall project dir
 
 ### Document your code
 
-As code is more often read than written, please provide documentation in all projects. 
+As code is more often read than written, please provide documentation in all projects.
 
 Adhere to the respective guidelines for documentation:
 
diff --git a/ansible.cfg b/ansible.cfg
index 6c2fb60..237ebb9 100644
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -1,7 +1,7 @@
 # config file for ansible -- http://ansible.com/
 # ==============================================
 
-# nearly all parameters can be overridden in ansible-playbook 
+# nearly all parameters can be overridden in ansible-playbook
 # or with command line flags. ansible will read ANSIBLE_CONFIG,
 # ansible.cfg in the current working directory, .ansible.cfg in
 # the home directory or /etc/ansible/ansible.cfg, whichever it
diff --git a/templates/openssh.conf.j2 b/templates/openssh.conf.j2
index 0769a5e..08a2b2c 100644
--- a/templates/openssh.conf.j2
+++ b/templates/openssh.conf.j2
@@ -82,10 +82,11 @@ ForwardX11 no
 
 # Never use host-based authentication. It can be exploited.
 HostbasedAuthentication no
+{% if sshd_version.stdout < 7.4 -%}
 RhostsRSAAuthentication no
-
 # Enable RSA authentication via identity files.
 RSAAuthentication yes
+{% endif %}
 
 # Disable password-based authentication, it can allow for potentially easier brute-force attacks.
 PasswordAuthentication {{ 'yes' if ssh_client_password_login else 'no' }}
diff --git a/templates/opensshd.conf.j2 b/templates/opensshd.conf.j2
index d80e983..db905d9 100644
--- a/templates/opensshd.conf.j2
+++ b/templates/opensshd.conf.j2
@@ -75,7 +75,9 @@ LogLevel VERBOSE
 # --------------
 
 # Secure Login directives.
+{% if sshd_version.stdout < 7.5 -%}
 UsePrivilegeSeparation {% if (ansible_distribution == 'Debian' and ansible_distribution_major_version <= '6') or (ansible_os_family in ['Oracle Linux', 'RedHat'] and ansible_distribution_major_version <= '6') -%}{{ssh_ps53}}{% else %}{{ssh_ps59}}{% endif %}
+{% endif %}
 
 LoginGraceTime 30s
 MaxAuthTries {{ssh_max_auth_retries}}