confdroid/confdroid_ssh
1
0
Fork 0
Code Issues Projects Wiki Activity

Merge branch 'jenkins-build-22' into 'master'

Browse Source 
Auto-merge for build 22

See merge request puppet/confdroid_ssh!22
This commit is contained in:
Jenkins
2026-04-13 12:55:20 +00:00
parent 19417ca780 3f5714f6c3
commit 6a9563ae04
3 changed files with 338 additions and 47 deletions
Download Patch File Download Diff File Expand all files Collapse all files

314
doc/puppet_classes/confdroid_ssh_3A_3Aparams.html
View File

@@ -574,6 +574,204 @@
—
<div class='inline'>
<p>setting for sshd_config. Default is no, which is a recommended security setting together with password authentication, but can be set to yes if keyboard-interactive authentication should be allowed. (not recommended)</p>
</div>
</li>
<li>
<span class='name'>ssh_kerberos_authentication</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;yes&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>setting for sshd_config. Default is no. Kerberos authentication is not commonly used and requires a lot of other settings, so it is disabled by default, but can be set to yes if desired.</p>
</div>
</li>
<li>
<span class='name'>ssh_kerberos_or_local_passwd</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;yes&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>setting for sshd_config. Default is no. This setting is only relevant if Kerberos authentication is enabled, and should be set to yes if you want to allow local password authentication as a fallback if Kerberos authentication fails, but can be set to no if you want to only allow Kerberos authentication.</p>
</div>
</li>
<li>
<span class='name'>ssh_kerberos_ticket_cleanup</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;yes&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>setting for sshd_config. Default is no. This setting is only relevant if Kerberos authentication is enabled, and should be set to yes if you want to enable ticket cleanup, but can be set to no if you want to disable it.</p>
</div>
</li>
<li>
<span class='name'>ssh_kerberos_get_afstoken</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;no&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>setting for sshd_config. Default is no. This setting is only relevant if Kerberos authentication is enabled, and should be set to yes if you want to enable AFS token retrieval, but can be set to no if you want to disable it.</p>
</div>
</li>
<li>
<span class='name'>ssh_kerberos_use_kuserok</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;yes&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>setting for sshd_config. Default is no. This setting is only relevant if Kerberos authentication is enabled, and should be set to yes if you want to enable userok with Kerberos, but can be set to no if you want to disable it.</p>
</div>
</li>
<li>
<span class='name'>ssh_use_kerberos</span>
<span class='type'>(<tt>Boolean</tt>)</span>
<em class="default">(defaults to: <tt>false</tt>)</em>
&mdash;
<div class='inline'>
<p>whether to use Kerberos authentication. If true, the relevant Kerberos settings will be included in the sshd_config, otherwise they will be ignored.</p>
</div>
</li>
<li>
<span class='name'>ssh_use_gssapi</span>
<span class='type'>(<tt>Boolean</tt>)</span>
<em class="default">(defaults to: <tt>false</tt>)</em>
&mdash;
<div class='inline'>
<p>whether to use GSSAPI authentication. If true, GSSAPI authentication will be enabled in sshd_config, otherwise it will be disabled. GSSAPI authentication is not commonly used and requires a lot of other settings, so it is disabled by default, but can be set to true if desired.</p>
</div>
</li>
<li>
<span class='name'>ssh_gssapi_authentication</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;yes&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>setting for sshd_config. Default is no. This setting is only relevant if GSSAPI authentication is enabled, and should be set to yes if you want to enable GSS authentication, but can be set to no if you want to disable it.</p>
</div>
</li>
<li>
<span class='name'>ssh_gssapi_cleanup_credentials</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;yes&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>setting for sshd_config. Default is no. This setting is only relevant if GSSAPI authentication is enabled, and should be set to yes if you want to enable GSS credential cleanup, but can be set to no if you want to disable it.</p>
</div>
</li>
<li>
<span class='name'>ssh_gssapi_key_exchange</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;no&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>setting for sshd_config. Default is no. This setting is only relevant if GSSAPI authentication is enabled, and should be set to yes if you want to enable GSS key exchange.</p>
</div>
</li>
<li>
<span class='name'>ssh_gssapi_enablek5users</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;no&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>setting for sshd_config. Default is no. This setting is only relevant if GSSAPI authentication is enabled, and should be set to yes if you want to enable GSSAPI for k5users.</p>
</div>
</li>
@@ -589,49 +787,6 @@
<pre class="lines">
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
@@ -642,10 +797,65 @@
100
101
102
103</pre>
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'manifests/params.pp', line 50</span>
<pre class="code"><span class="info file"># File 'manifests/params.pp', line 93</span>
class confdroid_ssh::params (
@@ -678,7 +888,19 @@ class confdroid_ssh::params (
String $ssh_log_level = &#39;INFO&#39;,
String $ssh_password_authentication = &#39;no&#39;,
String $ssh_permit_empty_passwords = &#39;no&#39;,
String $ssh_kbd_interactive_auth = &#39;no&#39;
String $ssh_kbd_interactive_auth = &#39;no&#39;,
Boolean $ssh_use_kerberos = false,
String $ssh_kerberos_authentication = &#39;yes&#39;,
String $ssh_kerberos_or_local_passwd = &#39;yes&#39;,
String $ssh_kerberos_ticket_cleanup = &#39;yes&#39;,
String $ssh_kerberos_get_afstoken = &#39;no&#39;,
String $ssh_kerberos_use_kuserok = &#39;yes&#39;,
Boolean $ssh_use_gssapi = false,
String $ssh_gssapi_authentication = &#39;yes&#39;,
String $ssh_gssapi_cleanup_credentials = &#39;yes&#39;,
String $ssh_gssapi_key_exchange = &#39;no&#39;,
String $ssh_gssapi_enablek5users = &#39;no&#39;,
) {
# default facts

57
manifests/params.pp
View File

@@ -46,6 +46,49 @@
# Default is 'no', which is a recommended security setting together
# with password authentication, but can be set to 'yes' if
# keyboard-interactive authentication should be allowed. (not recommended)
# @param [String] ssh_kerberos_authentication setting for sshd_config.
# Default is 'no'. Kerberos authentication is not commonly used and
# requires a lot of other settings, so it is disabled by default, but can be
# set to 'yes' if desired.
# @param [String] ssh_kerberos_or_local_passwd setting for sshd_config.
# Default is 'no'. This setting is only relevant if Kerberos authentication is
# enabled, and should be set to 'yes' if you want to allow local password
# authentication as a fallback if Kerberos authentication fails, but can be
# set to 'no' if you want to only allow Kerberos authentication.
# @param [String] ssh_kerberos_ticket_cleanup setting for sshd_config.
# Default is 'no'. This setting is only relevant if Kerberos authentication
# is enabled, and should be set to 'yes' if you want to enable ticket cleanup,
# but can be set to 'no' if you want to disable it.
# @param [String] ssh_kerberos_get_afstoken setting for sshd_config.
# Default is 'no'. This setting is only relevant if Kerberos authentication
# is enabled, and should be set to 'yes' if you want to enable AFS token retrieval,
# but can be set to 'no' if you want to disable it.
# @param [String] ssh_kerberos_use_kuserok setting for sshd_config.
# Default is 'no'. This setting is only relevant if Kerberos authentication
# is enabled, and should be set to 'yes' if you want to enable userok with
# Kerberos, but can be set to 'no' if you want to disable it.
# @param [Boolean] ssh_use_kerberos whether to use Kerberos authentication.
# If true, the relevant Kerberos settings will be included in the sshd_config,
# otherwise they will be ignored.
# @param [Boolean] ssh_use_gssapi whether to use GSSAPI authentication.
# If true, GSSAPI authentication will be enabled in sshd_config, otherwise it
# will be disabled. GSSAPI authentication is not commonly used and requires
# a lot of other settings, so it is disabled by default, but can be set to
# true if desired.
# @param [String] ssh_gssapi_authentication setting for sshd_config.
# Default is 'no'. This setting is only relevant if GSSAPI authentication is
# enabled, and should be set to 'yes' if you want to enable GSS authentication,
# but can be set to 'no' if you want to disable it.
# @param [String] ssh_gssapi_cleanup_credentials setting for sshd_config.
# Default is 'no'. This setting is only relevant if GSSAPI authentication is
# enabled, and should be set to 'yes' if you want to enable GSS credential
# cleanup, but can be set to 'no' if you want to disable it.
# @param [String] ssh_gssapi_key_exchange setting for sshd_config.
# Default is 'no'. This setting is only relevant if GSSAPI authentication is
# enabled, and should be set to 'yes' if you want to enable GSS key exchange.
# @param [String] ssh_gssapi_enablek5users setting for sshd_config.
# Default is 'no'. This setting is only relevant if GSSAPI authentication is
# enabled, and should be set to 'yes' if you want to enable GSSAPI for k5users.
##############################################################################
class confdroid_ssh::params (
@@ -78,7 +121,19 @@ class confdroid_ssh::params (
String $ssh_log_level = 'INFO',
String $ssh_password_authentication = 'no',
String $ssh_permit_empty_passwords = 'no',
String $ssh_kbd_interactive_auth = 'no'
String $ssh_kbd_interactive_auth = 'no',
Boolean $ssh_use_kerberos = false,
String $ssh_kerberos_authentication = 'yes',
String $ssh_kerberos_or_local_passwd = 'yes',
String $ssh_kerberos_ticket_cleanup = 'yes',
String $ssh_kerberos_get_afstoken = 'no',
String $ssh_kerberos_use_kuserok = 'yes',
Boolean $ssh_use_gssapi = false,
String $ssh_gssapi_authentication = 'yes',
String $ssh_gssapi_cleanup_credentials = 'yes',
String $ssh_gssapi_key_exchange = 'no',
String $ssh_gssapi_enablek5users = 'no',
) {
# default facts

14
templates/sshd_custom_conf.erb
View File

@@ -32,3 +32,17 @@ PasswordAuthentication <%= @ssh_password_authentication %>
PermitEmptyPasswords <%= @ssh_permit_empty_passwords %>
KbdInteractiveAuthentication <%= @ssh_kbd_interactive_auth %>
<% if @ssh_use_kerberos -%>
KerberosAuthentication <%= @ssh_kerberos_authentication %>
KerberosOrLocalPasswd <%= @ssh_kerberos_or_local_passwd %>
KerberosTicketCleanup <%= @ssh_kerberos_ticket_cleanup %>
KerberosGetAFSToken <%= @ssh_kerberos_get_afstoken %>
KerberosUseKuserok <%= @ssh_kerberos_use_kuserok %>
<% end -%>
<% if @ssh_use_gssapi -%>
GSSAPIAuthentication <%= @ssh_gssapi_authentication %>
GSSAPICleanupCredentials <%= @ssh_gssapi_cleanup_credentials %>
GSSAPIKeyExchange <%= @ssh_gssapi_key_exchange %>
GSSAPIEnablek5users <%= @ssh_gssapi_enablek5users %>
<% end -%>