confdroid/confdroid_ssh
1
0
Fork 0
Code Issues Projects Wiki Activity

OP#575 add kerberis and gssapi sections

Browse Source
This commit is contained in:
Arne Teuke
2026-04-13 14:53:58 +02:00
parent c97d093d84
commit 71a2706a3f
2 changed files with 70 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

57
manifests/params.pp
View File

@@ -46,6 +46,49 @@
# Default is 'no', which is a recommended security setting together # Default is 'no', which is a recommended security setting together
# with password authentication, but can be set to 'yes' if # with password authentication, but can be set to 'yes' if
# keyboard-interactive authentication should be allowed. (not recommended) # keyboard-interactive authentication should be allowed. (not recommended)
# @param [String] ssh_kerberos_authentication setting for sshd_config.
# Default is 'no'. Kerberos authentication is not commonly used and
# requires a lot of other settings, so it is disabled by default, but can be
# set to 'yes' if desired.
# @param [String] ssh_kerberos_or_local_passwd setting for sshd_config.
# Default is 'no'. This setting is only relevant if Kerberos authentication is
# enabled, and should be set to 'yes' if you want to allow local password
# authentication as a fallback if Kerberos authentication fails, but can be
# set to 'no' if you want to only allow Kerberos authentication.
# @param [String] ssh_kerberos_ticket_cleanup setting for sshd_config.
# Default is 'no'. This setting is only relevant if Kerberos authentication
# is enabled, and should be set to 'yes' if you want to enable ticket cleanup,
# but can be set to 'no' if you want to disable it.
# @param [String] ssh_kerberos_get_afstoken setting for sshd_config.
# Default is 'no'. This setting is only relevant if Kerberos authentication
# is enabled, and should be set to 'yes' if you want to enable AFS token retrieval,
# but can be set to 'no' if you want to disable it.
# @param [String] ssh_kerberos_use_kuserok setting for sshd_config.
# Default is 'no'. This setting is only relevant if Kerberos authentication
# is enabled, and should be set to 'yes' if you want to enable userok with
# Kerberos, but can be set to 'no' if you want to disable it.
# @param [Boolean] ssh_use_kerberos whether to use Kerberos authentication.
# If true, the relevant Kerberos settings will be included in the sshd_config,
# otherwise they will be ignored.
# @param [Boolean] ssh_use_gssapi whether to use GSSAPI authentication.
# If true, GSSAPI authentication will be enabled in sshd_config, otherwise it
# will be disabled. GSSAPI authentication is not commonly used and requires
# a lot of other settings, so it is disabled by default, but can be set to
# true if desired.
# @param [String] ssh_gssapi_authentication setting for sshd_config.
# Default is 'no'. This setting is only relevant if GSSAPI authentication is
# enabled, and should be set to 'yes' if you want to enable GSS authentication,
# but can be set to 'no' if you want to disable it.
# @param [String] ssh_gssapi_cleanup_credentials setting for sshd_config.
# Default is 'no'. This setting is only relevant if GSSAPI authentication is
# enabled, and should be set to 'yes' if you want to enable GSS credential
# cleanup, but can be set to 'no' if you want to disable it.
# @param [String] ssh_gssapi_key_exchange setting for sshd_config.
# Default is 'no'. This setting is only relevant if GSSAPI authentication is
# enabled, and should be set to 'yes' if you want to enable GSS key exchange.
# @param [String] ssh_gssapi_enablek5users setting for sshd_config.
# Default is 'no'. This setting is only relevant if GSSAPI authentication is
# enabled, and should be set to 'yes' if you want to enable GSSAPI for k5users.
############################################################################## ##############################################################################
class confdroid_ssh::params ( class confdroid_ssh::params (
@@ -78,7 +121,19 @@ class confdroid_ssh::params (
String $ssh_log_level = 'INFO', String $ssh_log_level = 'INFO',
String $ssh_password_authentication = 'no', String $ssh_password_authentication = 'no',
String $ssh_permit_empty_passwords = 'no', String $ssh_permit_empty_passwords = 'no',
String $ssh_kbd_interactive_auth = 'no' String $ssh_kbd_interactive_auth = 'no',
Boolean $ssh_use_kerberos = false,
String $ssh_kerberos_authentication = 'yes',
String $ssh_kerberos_or_local_passwd = 'yes',
String $ssh_kerberos_ticket_cleanup = 'yes',
String $ssh_kerberos_get_afstoken = 'no',
String $ssh_kerberos_use_kuserok = 'yes',
Boolean $ssh_use_gssapi = false,
String $ssh_gssapi_authentication = 'yes',
String $ssh_gssapi_cleanup_credentials = 'yes',
String $ssh_gssapi_key_exchange = 'no',
String $ssh_gssapi_enablek5users = 'no',
) { ) {
# default facts # default facts

14
templates/sshd_custom_conf.erb
View File

@@ -32,3 +32,17 @@ PasswordAuthentication <%= @ssh_password_authentication %>
PermitEmptyPasswords <%= @ssh_permit_empty_passwords %> PermitEmptyPasswords <%= @ssh_permit_empty_passwords %>
KbdInteractiveAuthentication <%= @ssh_kbd_interactive_auth %> KbdInteractiveAuthentication <%= @ssh_kbd_interactive_auth %>
<% if @ssh_use_kerberos -%>
KerberosAuthentication <%= @ssh_kerberos_authentication %>
KerberosOrLocalPasswd <%= @ssh_kerberos_or_local_passwd %>
KerberosTicketCleanup <%= @ssh_kerberos_ticket_cleanup %>
KerberosGetAFSToken <%= @ssh_kerberos_get_afstoken %>
KerberosUseKuserok <%= @ssh_kerberos_use_kuserok %>
<% end -%>
<% if @ssh_use_gssapi -%>
GSSAPIAuthentication <%= @ssh_gssapi_authentication %>
GSSAPICleanupCredentials <%= @ssh_gssapi_cleanup_credentials %>
GSSAPIKeyExchange <%= @ssh_gssapi_key_exchange %>
GSSAPIEnablek5users <%= @ssh_gssapi_enablek5users %>
<% end -%>