From 71a2706a3fe798c7bf84d1e73b7d39839a40767b Mon Sep 17 00:00:00 2001
From: 12ww1160 <12ww1160@confdroid.com>
Date: Mon, 13 Apr 2026 14:53:58 +0200
Subject: [PATCH] OP#575 add kerberis and gssapi sections

---
 manifests/params.pp            | 57 +++++++++++++++++++++++++++++++++-
 templates/sshd_custom_conf.erb | 14 +++++++++
 2 files changed, 70 insertions(+), 1 deletion(-)

diff --git a/manifests/params.pp b/manifests/params.pp
index cf14bc1..10e9ef7 100644
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -46,6 +46,49 @@
 #   Default is 'no', which is a recommended security setting together 
 #   with password authentication, but can be set to 'yes' if 
 #   keyboard-interactive authentication should be allowed. (not recommended)
+# @param [String] ssh_kerberos_authentication setting for sshd_config.
+#   Default is 'no'. Kerberos authentication is not commonly used and 
+#   requires a lot of other settings, so it is disabled by default, but can be 
+#   set to 'yes' if desired.
+# @param [String] ssh_kerberos_or_local_passwd setting for sshd_config.
+#   Default is 'no'. This setting is only relevant if Kerberos authentication is
+#   enabled, and should be set to 'yes' if you want to allow local password
+#   authentication as a fallback if Kerberos authentication fails, but can be
+#   set to 'no' if you want to only allow Kerberos authentication.
+# @param [String] ssh_kerberos_ticket_cleanup setting for sshd_config. 
+#   Default is 'no'. This setting is only relevant if Kerberos authentication 
+#   is enabled, and should be set to 'yes' if you want to enable ticket cleanup,
+#   but can be set to 'no' if you want to disable it.
+# @param [String] ssh_kerberos_get_afstoken setting for sshd_config.
+#   Default is 'no'. This setting is only relevant if Kerberos authentication
+#   is enabled, and should be set to 'yes' if you want to enable AFS token retrieval,
+#   but can be set to 'no' if you want to disable it.
+# @param [String] ssh_kerberos_use_kuserok setting for sshd_config.
+#   Default is 'no'. This setting is only relevant if Kerberos authentication
+#   is enabled, and should be set to 'yes' if you want to enable userok with 
+#   Kerberos, but can be set to 'no' if you want to disable it.
+# @param [Boolean] ssh_use_kerberos whether to use Kerberos authentication.
+#   If true, the relevant Kerberos settings will be included in the sshd_config, 
+#   otherwise they will be ignored. 
+# @param [Boolean] ssh_use_gssapi whether to use GSSAPI authentication.
+#   If true, GSSAPI authentication will be enabled in sshd_config, otherwise it
+#   will be disabled. GSSAPI authentication is not commonly used and requires
+#   a lot of other settings, so it is disabled by default, but can be set to
+#   true if desired.
+# @param [String] ssh_gssapi_authentication setting for sshd_config.
+#   Default is 'no'. This setting is only relevant if GSSAPI authentication is
+#   enabled, and should be set to 'yes' if you want to enable GSS authentication, 
+#   but can be set to 'no' if you want to disable it.
+# @param [String] ssh_gssapi_cleanup_credentials setting for sshd_config.
+#   Default is 'no'. This setting is only relevant if GSSAPI authentication is
+#   enabled, and should be set to 'yes' if you want to enable GSS credential 
+#   cleanup, but can be set to 'no' if you want to disable it.
+# @param [String] ssh_gssapi_key_exchange setting for sshd_config.
+#   Default is 'no'. This setting is only relevant if GSSAPI authentication is
+#   enabled, and should be set to 'yes' if you want to enable GSS key exchange.
+# @param [String] ssh_gssapi_enablek5users setting for sshd_config.
+#   Default is 'no'. This setting is only relevant if GSSAPI authentication is 
+#   enabled, and should be set to 'yes' if you want to enable GSSAPI for k5users.
 ##############################################################################
 class confdroid_ssh::params (
 
@@ -78,7 +121,19 @@ class confdroid_ssh::params (
   String  $ssh_log_level                    = 'INFO',
   String  $ssh_password_authentication      = 'no',
   String  $ssh_permit_empty_passwords       = 'no',
-  String  $ssh_kbd_interactive_auth         = 'no'
+  String  $ssh_kbd_interactive_auth         = 'no',
+  Boolean $ssh_use_kerberos                 = false,
+  String  $ssh_kerberos_authentication      = 'yes',
+  String  $ssh_kerberos_or_local_passwd     = 'yes',
+  String  $ssh_kerberos_ticket_cleanup      = 'yes',
+  String  $ssh_kerberos_get_afstoken        = 'no',
+  String  $ssh_kerberos_use_kuserok         = 'yes',
+  Boolean $ssh_use_gssapi                   = false,
+  String  $ssh_gssapi_authentication         = 'yes',
+  String  $ssh_gssapi_cleanup_credentials    = 'yes',
+  String  $ssh_gssapi_key_exchange           = 'no',
+  String  $ssh_gssapi_enablek5users          = 'no',
+
 
 ) {
 # default facts
diff --git a/templates/sshd_custom_conf.erb b/templates/sshd_custom_conf.erb
index da51d6f..01634b1 100644
--- a/templates/sshd_custom_conf.erb
+++ b/templates/sshd_custom_conf.erb
@@ -32,3 +32,17 @@ PasswordAuthentication <%= @ssh_password_authentication %>
 PermitEmptyPasswords <%= @ssh_permit_empty_passwords %>
 KbdInteractiveAuthentication <%= @ssh_kbd_interactive_auth %>
 
+<% if @ssh_use_kerberos -%>
+KerberosAuthentication <%= @ssh_kerberos_authentication %>
+KerberosOrLocalPasswd <%= @ssh_kerberos_or_local_passwd %>
+KerberosTicketCleanup <%= @ssh_kerberos_ticket_cleanup %>
+KerberosGetAFSToken <%= @ssh_kerberos_get_afstoken %>
+KerberosUseKuserok <%= @ssh_kerberos_use_kuserok %>
+<% end -%>
+
+<% if @ssh_use_gssapi -%>
+GSSAPIAuthentication <%= @ssh_gssapi_authentication %>
+GSSAPICleanupCredentials <%= @ssh_gssapi_cleanup_credentials %>
+GSSAPIKeyExchange <%= @ssh_gssapi_key_exchange %>
+GSSAPIEnablek5users <%= @ssh_gssapi_enablek5users %>
+<% end -%>