Merge branch 'jenkins-build-22' into 'master'

Auto-merge for build 22

See merge request puppet/confdroid_ssh!22

doc/puppet_classes/confdroid_ssh_3A_3Aparams.html

@@ -574,6 +574,204 @@
         —
         <div class='inline'>
 <p>setting for sshd_config. Default is ‘no’, which is a recommended security setting together with password authentication, but can be set to ‘yes’ if keyboard-interactive authentication should be allowed. (not recommended)</p>
+</div>
+      
+    </li>
+  
+    <li>
+      
+        <span class='name'>ssh_kerberos_authentication</span>
+      
+      
+        <span class='type'>(<tt>String</tt>)</span>
+      
+      
+        <em class="default">(defaults to: <tt>&#39;yes&#39;</tt>)</em>
+      
+      
+        &mdash;
+        <div class='inline'>
+<p>setting for sshd_config. Default is ‘no’. Kerberos authentication is not commonly used and requires a lot of other settings, so it is disabled by default, but can be set to ‘yes’ if desired.</p>
+</div>
+      
+    </li>
+  
+    <li>
+      
+        <span class='name'>ssh_kerberos_or_local_passwd</span>
+      
+      
+        <span class='type'>(<tt>String</tt>)</span>
+      
+      
+        <em class="default">(defaults to: <tt>&#39;yes&#39;</tt>)</em>
+      
+      
+        &mdash;
+        <div class='inline'>
+<p>setting for sshd_config. Default is ‘no’. This setting is only relevant if Kerberos authentication is enabled, and should be set to ‘yes’ if you want to allow local password authentication as a fallback if Kerberos authentication fails, but can be set to ‘no’ if you want to only allow Kerberos authentication.</p>
+</div>
+      
+    </li>
+  
+    <li>
+      
+        <span class='name'>ssh_kerberos_ticket_cleanup</span>
+      
+      
+        <span class='type'>(<tt>String</tt>)</span>
+      
+      
+        <em class="default">(defaults to: <tt>&#39;yes&#39;</tt>)</em>
+      
+      
+        &mdash;
+        <div class='inline'>
+<p>setting for sshd_config. Default is ‘no’. This setting is only relevant if Kerberos authentication is enabled, and should be set to ‘yes’ if you want to enable ticket cleanup, but can be set to ‘no’ if you want to disable it.</p>
+</div>
+      
+    </li>
+  
+    <li>
+      
+        <span class='name'>ssh_kerberos_get_afstoken</span>
+      
+      
+        <span class='type'>(<tt>String</tt>)</span>
+      
+      
+        <em class="default">(defaults to: <tt>&#39;no&#39;</tt>)</em>
+      
+      
+        &mdash;
+        <div class='inline'>
+<p>setting for sshd_config. Default is ‘no’. This setting is only relevant if Kerberos authentication is enabled, and should be set to ‘yes’ if you want to enable AFS token retrieval, but can be set to ‘no’ if you want to disable it.</p>
+</div>
+      
+    </li>
+  
+    <li>
+      
+        <span class='name'>ssh_kerberos_use_kuserok</span>
+      
+      
+        <span class='type'>(<tt>String</tt>)</span>
+      
+      
+        <em class="default">(defaults to: <tt>&#39;yes&#39;</tt>)</em>
+      
+      
+        &mdash;
+        <div class='inline'>
+<p>setting for sshd_config. Default is ‘no’. This setting is only relevant if Kerberos authentication is enabled, and should be set to ‘yes’ if you want to enable userok with Kerberos, but can be set to ‘no’ if you want to disable it.</p>
+</div>
+      
+    </li>
+  
+    <li>
+      
+        <span class='name'>ssh_use_kerberos</span>
+      
+      
+        <span class='type'>(<tt>Boolean</tt>)</span>
+      
+      
+        <em class="default">(defaults to: <tt>false</tt>)</em>
+      
+      
+        &mdash;
+        <div class='inline'>
+<p>whether to use Kerberos authentication. If true, the relevant Kerberos settings will be included in the sshd_config, otherwise they will be ignored.</p>
+</div>
+      
+    </li>
+  
+    <li>
+      
+        <span class='name'>ssh_use_gssapi</span>
+      
+      
+        <span class='type'>(<tt>Boolean</tt>)</span>
+      
+      
+        <em class="default">(defaults to: <tt>false</tt>)</em>
+      
+      
+        &mdash;
+        <div class='inline'>
+<p>whether to use GSSAPI authentication. If true, GSSAPI authentication will be enabled in sshd_config, otherwise it will be disabled. GSSAPI authentication is not commonly used and requires a lot of other settings, so it is disabled by default, but can be set to true if desired.</p>
+</div>
+      
+    </li>
+  
+    <li>
+      
+        <span class='name'>ssh_gssapi_authentication</span>
+      
+      
+        <span class='type'>(<tt>String</tt>)</span>
+      
+      
+        <em class="default">(defaults to: <tt>&#39;yes&#39;</tt>)</em>
+      
+      
+        &mdash;
+        <div class='inline'>
+<p>setting for sshd_config. Default is ‘no’. This setting is only relevant if GSSAPI authentication is enabled, and should be set to ‘yes’ if you want to enable GSS authentication, but can be set to ‘no’ if you want to disable it.</p>
+</div>
+      
+    </li>
+  
+    <li>
+      
+        <span class='name'>ssh_gssapi_cleanup_credentials</span>
+      
+      
+        <span class='type'>(<tt>String</tt>)</span>
+      
+      
+        <em class="default">(defaults to: <tt>&#39;yes&#39;</tt>)</em>
+      
+      
+        &mdash;
+        <div class='inline'>
+<p>setting for sshd_config. Default is ‘no’. This setting is only relevant if GSSAPI authentication is enabled, and should be set to ‘yes’ if you want to enable GSS credential cleanup, but can be set to ‘no’ if you want to disable it.</p>
+</div>
+      
+    </li>
+  
+    <li>
+      
+        <span class='name'>ssh_gssapi_key_exchange</span>
+      
+      
+        <span class='type'>(<tt>String</tt>)</span>
+      
+      
+        <em class="default">(defaults to: <tt>&#39;no&#39;</tt>)</em>
+      
+      
+        &mdash;
+        <div class='inline'>
+<p>setting for sshd_config. Default is ‘no’. This setting is only relevant if GSSAPI authentication is enabled, and should be set to ‘yes’ if you want to enable GSS key exchange.</p>
+</div>
+      
+    </li>
+  
+    <li>
+      
+        <span class='name'>ssh_gssapi_enablek5users</span>
+      
+      
+        <span class='type'>(<tt>String</tt>)</span>
+      
+      
+        <em class="default">(defaults to: <tt>&#39;no&#39;</tt>)</em>
+      
+      
+        &mdash;
+        <div class='inline'>
+<p>setting for sshd_config. Default is ‘no’. This setting is only relevant if GSSAPI authentication is enabled, and should be set to ‘yes’ if you want to enable GSSAPI for k5users.</p>
 </div>
       
     </li>
@@ -589,49 +787,6 @@
         <pre class="lines">
 
 
-50
-51
-52
-53
-54
-55
-56
-57
-58
-59
-60
-61
-62
-63
-64
-65
-66
-67
-68
-69
-70
-71
-72
-73
-74
-75
-76
-77
-78
-79
-80
-81
-82
-83
-84
-85
-86
-87
-88
-89
-90
-91
-92
 93
 94
 95
@@ -642,10 +797,65 @@
 100
 101
 102
-103</pre>
+103
+104
+105
+106
+107
+108
+109
+110
+111
+112
+113
+114
+115
+116
+117
+118
+119
+120
+121
+122
+123
+124
+125
+126
+127
+128
+129
+130
+131
+132
+133
+134
+135
+136
+137
+138
+139
+140
+141
+142
+143
+144
+145
+146
+147
+148
+149
+150
+151
+152
+153
+154
+155
+156
+157
+158</pre>
       </td>
       <td>
-        <pre class="code"><span class="info file"># File 'manifests/params.pp', line 50</span>
+        <pre class="code"><span class="info file"># File 'manifests/params.pp', line 93</span>
 
 class confdroid_ssh::params (
 
@@ -678,7 +888,19 @@ class confdroid_ssh::params (
   String  $ssh_log_level                    = &#39;INFO&#39;,
   String  $ssh_password_authentication      = &#39;no&#39;,
   String  $ssh_permit_empty_passwords       = &#39;no&#39;,
-  String  $ssh_kbd_interactive_auth         = &#39;no&#39;
+  String  $ssh_kbd_interactive_auth         = &#39;no&#39;,
+  Boolean $ssh_use_kerberos                 = false,
+  String  $ssh_kerberos_authentication      = &#39;yes&#39;,
+  String  $ssh_kerberos_or_local_passwd     = &#39;yes&#39;,
+  String  $ssh_kerberos_ticket_cleanup      = &#39;yes&#39;,
+  String  $ssh_kerberos_get_afstoken        = &#39;no&#39;,
+  String  $ssh_kerberos_use_kuserok         = &#39;yes&#39;,
+  Boolean $ssh_use_gssapi                   = false,
+  String  $ssh_gssapi_authentication         = &#39;yes&#39;,
+  String  $ssh_gssapi_cleanup_credentials    = &#39;yes&#39;,
+  String  $ssh_gssapi_key_exchange           = &#39;no&#39;,
+  String  $ssh_gssapi_enablek5users          = &#39;no&#39;,
+
 
 ) {
 # default facts

manifests/params.pp

@@ -46,6 +46,49 @@
 #   Default is 'no', which is a recommended security setting together 
 #   with password authentication, but can be set to 'yes' if 
 #   keyboard-interactive authentication should be allowed. (not recommended)
+# @param [String] ssh_kerberos_authentication setting for sshd_config.
+#   Default is 'no'. Kerberos authentication is not commonly used and 
+#   requires a lot of other settings, so it is disabled by default, but can be 
+#   set to 'yes' if desired.
+# @param [String] ssh_kerberos_or_local_passwd setting for sshd_config.
+#   Default is 'no'. This setting is only relevant if Kerberos authentication is
+#   enabled, and should be set to 'yes' if you want to allow local password
+#   authentication as a fallback if Kerberos authentication fails, but can be
+#   set to 'no' if you want to only allow Kerberos authentication.
+# @param [String] ssh_kerberos_ticket_cleanup setting for sshd_config. 
+#   Default is 'no'. This setting is only relevant if Kerberos authentication 
+#   is enabled, and should be set to 'yes' if you want to enable ticket cleanup,
+#   but can be set to 'no' if you want to disable it.
+# @param [String] ssh_kerberos_get_afstoken setting for sshd_config.
+#   Default is 'no'. This setting is only relevant if Kerberos authentication
+#   is enabled, and should be set to 'yes' if you want to enable AFS token retrieval,
+#   but can be set to 'no' if you want to disable it.
+# @param [String] ssh_kerberos_use_kuserok setting for sshd_config.
+#   Default is 'no'. This setting is only relevant if Kerberos authentication
+#   is enabled, and should be set to 'yes' if you want to enable userok with 
+#   Kerberos, but can be set to 'no' if you want to disable it.
+# @param [Boolean] ssh_use_kerberos whether to use Kerberos authentication.
+#   If true, the relevant Kerberos settings will be included in the sshd_config, 
+#   otherwise they will be ignored. 
+# @param [Boolean] ssh_use_gssapi whether to use GSSAPI authentication.
+#   If true, GSSAPI authentication will be enabled in sshd_config, otherwise it
+#   will be disabled. GSSAPI authentication is not commonly used and requires
+#   a lot of other settings, so it is disabled by default, but can be set to
+#   true if desired.
+# @param [String] ssh_gssapi_authentication setting for sshd_config.
+#   Default is 'no'. This setting is only relevant if GSSAPI authentication is
+#   enabled, and should be set to 'yes' if you want to enable GSS authentication, 
+#   but can be set to 'no' if you want to disable it.
+# @param [String] ssh_gssapi_cleanup_credentials setting for sshd_config.
+#   Default is 'no'. This setting is only relevant if GSSAPI authentication is
+#   enabled, and should be set to 'yes' if you want to enable GSS credential 
+#   cleanup, but can be set to 'no' if you want to disable it.
+# @param [String] ssh_gssapi_key_exchange setting for sshd_config.
+#   Default is 'no'. This setting is only relevant if GSSAPI authentication is
+#   enabled, and should be set to 'yes' if you want to enable GSS key exchange.
+# @param [String] ssh_gssapi_enablek5users setting for sshd_config.
+#   Default is 'no'. This setting is only relevant if GSSAPI authentication is 
+#   enabled, and should be set to 'yes' if you want to enable GSSAPI for k5users.
 ##############################################################################
 class confdroid_ssh::params (
 
@@ -78,7 +121,19 @@ class confdroid_ssh::params (
   String  $ssh_log_level                    = 'INFO',
   String  $ssh_password_authentication      = 'no',
   String  $ssh_permit_empty_passwords       = 'no',
-  String  $ssh_kbd_interactive_auth         = 'no'
+  String  $ssh_kbd_interactive_auth         = 'no',
+  Boolean $ssh_use_kerberos                 = false,
+  String  $ssh_kerberos_authentication      = 'yes',
+  String  $ssh_kerberos_or_local_passwd     = 'yes',
+  String  $ssh_kerberos_ticket_cleanup      = 'yes',
+  String  $ssh_kerberos_get_afstoken        = 'no',
+  String  $ssh_kerberos_use_kuserok         = 'yes',
+  Boolean $ssh_use_gssapi                   = false,
+  String  $ssh_gssapi_authentication         = 'yes',
+  String  $ssh_gssapi_cleanup_credentials    = 'yes',
+  String  $ssh_gssapi_key_exchange           = 'no',
+  String  $ssh_gssapi_enablek5users          = 'no',
+
 
 ) {
 # default facts

templates/sshd_custom_conf.erb

@@ -32,3 +32,17 @@ PasswordAuthentication <%= @ssh_password_authentication %>
 PermitEmptyPasswords <%= @ssh_permit_empty_passwords %>
 KbdInteractiveAuthentication <%= @ssh_kbd_interactive_auth %>
 
+<% if @ssh_use_kerberos -%>
+KerberosAuthentication <%= @ssh_kerberos_authentication %>
+KerberosOrLocalPasswd <%= @ssh_kerberos_or_local_passwd %>
+KerberosTicketCleanup <%= @ssh_kerberos_ticket_cleanup %>
+KerberosGetAFSToken <%= @ssh_kerberos_get_afstoken %>
+KerberosUseKuserok <%= @ssh_kerberos_use_kuserok %>
+<% end -%>
+
+<% if @ssh_use_gssapi -%>
+GSSAPIAuthentication <%= @ssh_gssapi_authentication %>
+GSSAPICleanupCredentials <%= @ssh_gssapi_cleanup_credentials %>
+GSSAPIKeyExchange <%= @ssh_gssapi_key_exchange %>
+GSSAPIEnablek5users <%= @ssh_gssapi_enablek5users %>
+<% end -%>