setting for sshd_config. Default is ‘no’, which is a recommended security setting together with password authentication, but can be set to ‘yes’ if keyboard-interactive authentication should be allowed. (not recommended)
+setting for sshd_config. Default is ‘no’. Kerberos authentication is not commonly used and requires a lot of other settings, so it is disabled by default, but can be set to ‘yes’ if desired.
+setting for sshd_config. Default is ‘no’. This setting is only relevant if Kerberos authentication is enabled, and should be set to ‘yes’ if you want to allow local password authentication as a fallback if Kerberos authentication fails, but can be set to ‘no’ if you want to only allow Kerberos authentication.
+setting for sshd_config. Default is ‘no’. This setting is only relevant if Kerberos authentication is enabled, and should be set to ‘yes’ if you want to enable ticket cleanup, but can be set to ‘no’ if you want to disable it.
+setting for sshd_config. Default is ‘no’. This setting is only relevant if Kerberos authentication is enabled, and should be set to ‘yes’ if you want to enable AFS token retrieval, but can be set to ‘no’ if you want to disable it.
+setting for sshd_config. Default is ‘no’. This setting is only relevant if Kerberos authentication is enabled, and should be set to ‘yes’ if you want to enable userok with Kerberos, but can be set to ‘no’ if you want to disable it.
+whether to use Kerberos authentication. If true, the relevant Kerberos settings will be included in the sshd_config, otherwise they will be ignored.
+whether to use GSSAPI authentication. If true, GSSAPI authentication will be enabled in sshd_config, otherwise it will be disabled. GSSAPI authentication is not commonly used and requires a lot of other settings, so it is disabled by default, but can be set to true if desired.
+setting for sshd_config. Default is ‘no’. This setting is only relevant if GSSAPI authentication is enabled, and should be set to ‘yes’ if you want to enable GSS authentication, but can be set to ‘no’ if you want to disable it.
+setting for sshd_config. Default is ‘no’. This setting is only relevant if GSSAPI authentication is enabled, and should be set to ‘yes’ if you want to enable GSS credential cleanup, but can be set to ‘no’ if you want to disable it.
+setting for sshd_config. Default is ‘no’. This setting is only relevant if GSSAPI authentication is enabled, and should be set to ‘yes’ if you want to enable GSS key exchange.
+setting for sshd_config. Default is ‘no’. This setting is only relevant if GSSAPI authentication is enabled, and should be set to ‘yes’ if you want to enable GSSAPI for k5users.
-50 -51 -52 -53 -54 -55 -56 -57 -58 -59 -60 -61 -62 -63 -64 -65 -66 -67 -68 -69 -70 -71 -72 -73 -74 -75 -76 -77 -78 -79 -80 -81 -82 -83 -84 -85 -86 -87 -88 -89 -90 -91 -92 93 94 95 @@ -642,10 +797,65 @@ 100 101 102 -103+103 +104 +105 +106 +107 +108 +109 +110 +111 +112 +113 +114 +115 +116 +117 +118 +119 +120 +121 +122 +123 +124 +125 +126 +127 +128 +129 +130 +131 +132 +133 +134 +135 +136 +137 +138 +139 +140 +141 +142 +143 +144 +145 +146 +147 +148 +149 +150 +151 +152 +153 +154 +155 +156 +157 +158
# File 'manifests/params.pp', line 50
+ # File 'manifests/params.pp', line 93
class confdroid_ssh::params (
@@ -678,7 +888,19 @@ class confdroid_ssh::params (
String $ssh_log_level = 'INFO',
String $ssh_password_authentication = 'no',
String $ssh_permit_empty_passwords = 'no',
- String $ssh_kbd_interactive_auth = 'no'
+ String $ssh_kbd_interactive_auth = 'no',
+ Boolean $ssh_use_kerberos = false,
+ String $ssh_kerberos_authentication = 'yes',
+ String $ssh_kerberos_or_local_passwd = 'yes',
+ String $ssh_kerberos_ticket_cleanup = 'yes',
+ String $ssh_kerberos_get_afstoken = 'no',
+ String $ssh_kerberos_use_kuserok = 'yes',
+ Boolean $ssh_use_gssapi = false,
+ String $ssh_gssapi_authentication = 'yes',
+ String $ssh_gssapi_cleanup_credentials = 'yes',
+ String $ssh_gssapi_key_exchange = 'no',
+ String $ssh_gssapi_enablek5users = 'no',
+
) {
# default facts
diff --git a/manifests/params.pp b/manifests/params.pp
index cf14bc1..10e9ef7 100644
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -46,6 +46,49 @@
# Default is 'no', which is a recommended security setting together
# with password authentication, but can be set to 'yes' if
# keyboard-interactive authentication should be allowed. (not recommended)
+# @param [String] ssh_kerberos_authentication setting for sshd_config.
+# Default is 'no'. Kerberos authentication is not commonly used and
+# requires a lot of other settings, so it is disabled by default, but can be
+# set to 'yes' if desired.
+# @param [String] ssh_kerberos_or_local_passwd setting for sshd_config.
+# Default is 'no'. This setting is only relevant if Kerberos authentication is
+# enabled, and should be set to 'yes' if you want to allow local password
+# authentication as a fallback if Kerberos authentication fails, but can be
+# set to 'no' if you want to only allow Kerberos authentication.
+# @param [String] ssh_kerberos_ticket_cleanup setting for sshd_config.
+# Default is 'no'. This setting is only relevant if Kerberos authentication
+# is enabled, and should be set to 'yes' if you want to enable ticket cleanup,
+# but can be set to 'no' if you want to disable it.
+# @param [String] ssh_kerberos_get_afstoken setting for sshd_config.
+# Default is 'no'. This setting is only relevant if Kerberos authentication
+# is enabled, and should be set to 'yes' if you want to enable AFS token retrieval,
+# but can be set to 'no' if you want to disable it.
+# @param [String] ssh_kerberos_use_kuserok setting for sshd_config.
+# Default is 'no'. This setting is only relevant if Kerberos authentication
+# is enabled, and should be set to 'yes' if you want to enable userok with
+# Kerberos, but can be set to 'no' if you want to disable it.
+# @param [Boolean] ssh_use_kerberos whether to use Kerberos authentication.
+# If true, the relevant Kerberos settings will be included in the sshd_config,
+# otherwise they will be ignored.
+# @param [Boolean] ssh_use_gssapi whether to use GSSAPI authentication.
+# If true, GSSAPI authentication will be enabled in sshd_config, otherwise it
+# will be disabled. GSSAPI authentication is not commonly used and requires
+# a lot of other settings, so it is disabled by default, but can be set to
+# true if desired.
+# @param [String] ssh_gssapi_authentication setting for sshd_config.
+# Default is 'no'. This setting is only relevant if GSSAPI authentication is
+# enabled, and should be set to 'yes' if you want to enable GSS authentication,
+# but can be set to 'no' if you want to disable it.
+# @param [String] ssh_gssapi_cleanup_credentials setting for sshd_config.
+# Default is 'no'. This setting is only relevant if GSSAPI authentication is
+# enabled, and should be set to 'yes' if you want to enable GSS credential
+# cleanup, but can be set to 'no' if you want to disable it.
+# @param [String] ssh_gssapi_key_exchange setting for sshd_config.
+# Default is 'no'. This setting is only relevant if GSSAPI authentication is
+# enabled, and should be set to 'yes' if you want to enable GSS key exchange.
+# @param [String] ssh_gssapi_enablek5users setting for sshd_config.
+# Default is 'no'. This setting is only relevant if GSSAPI authentication is
+# enabled, and should be set to 'yes' if you want to enable GSSAPI for k5users.
##############################################################################
class confdroid_ssh::params (
@@ -78,7 +121,19 @@ class confdroid_ssh::params (
String $ssh_log_level = 'INFO',
String $ssh_password_authentication = 'no',
String $ssh_permit_empty_passwords = 'no',
- String $ssh_kbd_interactive_auth = 'no'
+ String $ssh_kbd_interactive_auth = 'no',
+ Boolean $ssh_use_kerberos = false,
+ String $ssh_kerberos_authentication = 'yes',
+ String $ssh_kerberos_or_local_passwd = 'yes',
+ String $ssh_kerberos_ticket_cleanup = 'yes',
+ String $ssh_kerberos_get_afstoken = 'no',
+ String $ssh_kerberos_use_kuserok = 'yes',
+ Boolean $ssh_use_gssapi = false,
+ String $ssh_gssapi_authentication = 'yes',
+ String $ssh_gssapi_cleanup_credentials = 'yes',
+ String $ssh_gssapi_key_exchange = 'no',
+ String $ssh_gssapi_enablek5users = 'no',
+
) {
# default facts
diff --git a/templates/sshd_custom_conf.erb b/templates/sshd_custom_conf.erb
index da51d6f..01634b1 100644
--- a/templates/sshd_custom_conf.erb
+++ b/templates/sshd_custom_conf.erb
@@ -32,3 +32,17 @@ PasswordAuthentication <%= @ssh_password_authentication %>
PermitEmptyPasswords <%= @ssh_permit_empty_passwords %>
KbdInteractiveAuthentication <%= @ssh_kbd_interactive_auth %>
+<% if @ssh_use_kerberos -%>
+KerberosAuthentication <%= @ssh_kerberos_authentication %>
+KerberosOrLocalPasswd <%= @ssh_kerberos_or_local_passwd %>
+KerberosTicketCleanup <%= @ssh_kerberos_ticket_cleanup %>
+KerberosGetAFSToken <%= @ssh_kerberos_get_afstoken %>
+KerberosUseKuserok <%= @ssh_kerberos_use_kuserok %>
+<% end -%>
+
+<% if @ssh_use_gssapi -%>
+GSSAPIAuthentication <%= @ssh_gssapi_authentication %>
+GSSAPICleanupCredentials <%= @ssh_gssapi_cleanup_credentials %>
+GSSAPIKeyExchange <%= @ssh_gssapi_key_exchange %>
+GSSAPIEnablek5users <%= @ssh_gssapi_enablek5users %>
+<% end -%>