From c97d093d8464ee94dc135736807115416fa07ad1 Mon Sep 17 00:00:00 2001 From: 12ww1160 <12ww1160@confdroid.com> Date: Mon, 13 Apr 2026 14:20:06 +0200 Subject: [PATCH 1/2] OP#575 finish password section --- manifests/params.pp | 18 +++++++++++++++++- templates/sshd_custom_conf.erb | 7 ++++--- 2 files changed, 21 insertions(+), 4 deletions(-) diff --git a/manifests/params.pp b/manifests/params.pp index 60bc548..cf14bc1 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -33,6 +33,19 @@ # Default is 'AUTH'. # @param [String] ssh_log_level LogLevel setting for sshd_config. # Default is 'INFO'. +# @param [String] ssh_password_authentication PasswordAuthentication setting +# for sshd_config. Default is 'no', which requires key-based authentication. +# This is a recommended security setting, so passwords do not show up in logs, +# but can be set to 'yes' if password authentication is desired. +# @param [String] ssh_permit_empty_passwords PermitEmptyPasswords setting +# for sshd_config. Default is 'no', which is a recommended security setting +# and works in connection with key-based authentication, but can be set +# to 'yes' if password authentication should be allowed and empty passwords +# should be allowed. Again, this should be used with caution if enabled. +# @param [String] ssh_kbd_interactive_auth setting for sshd_config. +# Default is 'no', which is a recommended security setting together +# with password authentication, but can be set to 'yes' if +# keyboard-interactive authentication should be allowed. (not recommended) ############################################################################## class confdroid_ssh::params ( @@ -62,7 +75,10 @@ class confdroid_ssh::params ( String $ssh_hostkey_type = 'rsa', String $ssh_rekeylimit = 'default none', String $ssh_syslog_facility = 'AUTH', - String $ssh_log_level = 'INFO' + String $ssh_log_level = 'INFO', + String $ssh_password_authentication = 'no', + String $ssh_permit_empty_passwords = 'no', + String $ssh_kbd_interactive_auth = 'no' ) { # default facts diff --git a/templates/sshd_custom_conf.erb b/templates/sshd_custom_conf.erb index f6aeb6c..da51d6f 100644 --- a/templates/sshd_custom_conf.erb +++ b/templates/sshd_custom_conf.erb @@ -8,11 +8,9 @@ Port <%= @ssh_fw_port %> AddressFamily <%= @ssh_address_family %> ListenAddress <%= @ssh_listen_address %> - <% if @ssh_use_specific_hostkey -%> HostKey /etc/ssh/ssh_host_<%= @ssh_hostkey_type %>_key <% end -%> - RekeyLimit <%= @ssh_rekeylimit %> SyslogFacility <%= @ssh_syslog_facility %> @@ -30,4 +28,7 @@ AuthorizedPrincipalsFile <%= @ssh_authorized_principals_file %> AuthorizedKeysCommand <%= @ssh_authorized_keys_command %> AuthorizedKeysCommandUser <%= @ssh_authorized_keys_command_user %> -# test \ No newline at end of file +PasswordAuthentication <%= @ssh_password_authentication %> +PermitEmptyPasswords <%= @ssh_permit_empty_passwords %> +KbdInteractiveAuthentication <%= @ssh_kbd_interactive_auth %> + From e7ac45b383f8501fe6b85fac3ec87ea9a8111117 Mon Sep 17 00:00:00 2001 From: Jenkins Server Date: Mon, 13 Apr 2026 14:21:20 +0200 Subject: [PATCH 2/2] Recommit for updates in build 21 --- .../confdroid_ssh_3A_3Aparams.html | 92 +++++++++++++++---- 1 file changed, 76 insertions(+), 16 deletions(-) diff --git a/doc/puppet_classes/confdroid_ssh_3A_3Aparams.html b/doc/puppet_classes/confdroid_ssh_3A_3Aparams.html index 968712a..e238d72 100644 --- a/doc/puppet_classes/confdroid_ssh_3A_3Aparams.html +++ b/doc/puppet_classes/confdroid_ssh_3A_3Aparams.html @@ -520,6 +520,60 @@ —

LogLevel setting for sshd_config. Default is ‘INFO’.

+
+ + + +
  • + + ssh_password_authentication + + + (String) + + + (defaults to: 'no') + + + — +
    +

    PasswordAuthentication setting for sshd_config. Default is ‘no’, which requires key-based authentication. This is a recommended security setting, so passwords do not show up in logs, but can be set to ‘yes’ if password authentication is desired.

    +
    + +
    • + +
  • + + ssh_permit_empty_passwords + + + (String) + + + (defaults to: 'no') + + + — +
    +

    PermitEmptyPasswords setting for sshd_config. Default is ‘no’, which is a recommended security setting and works in connection with key-based authentication, but can be set to ‘yes’ if password authentication should be allowed and empty passwords should be allowed. Again, this should be used with caution if enabled.

    +
    + +
    • + +
  • + + ssh_kbd_interactive_auth + + + (String) + + + (defaults to: 'no') + + + — +
    +

    setting for sshd_config. Default is ‘no’, which is a recommended security setting together with password authentication, but can be set to ‘yes’ if keyboard-interactive authentication should be allowed. (not recommended)

    • @@ -535,19 +589,6 @@ 
     
 
-37
-38
-39
-40
-41
-42
-43
-44
-45
-46
-47
-48
-49
 50
 51
 52
@@ -585,10 +626,26 @@
 84
 85
 86
-87
    +87 +88 +89 +90 +91 +92 +93 +94 +95 +96 +97 +98 +99 +100 +101 +102 +103 - 
    # File 'manifests/params.pp', line 37
+        
    # File 'manifests/params.pp', line 50
 
 class confdroid_ssh::params (
 
@@ -618,7 +675,10 @@ class confdroid_ssh::params (
   String  $ssh_hostkey_type                 = 'rsa',
   String  $ssh_rekeylimit                   = 'default none',
   String  $ssh_syslog_facility              = 'AUTH',
-  String  $ssh_log_level                    = 'INFO'
+  String  $ssh_log_level                    = 'INFO',
+  String  $ssh_password_authentication      = 'no',
+  String  $ssh_permit_empty_passwords       = 'no',
+  String  $ssh_kbd_interactive_auth         = 'no'
 
 ) {
 # default facts