OP#575 add kerberis and gssapi sections
This commit is contained in:
@@ -46,6 +46,49 @@
|
||||
# Default is 'no', which is a recommended security setting together
|
||||
# with password authentication, but can be set to 'yes' if
|
||||
# keyboard-interactive authentication should be allowed. (not recommended)
|
||||
# @param [String] ssh_kerberos_authentication setting for sshd_config.
|
||||
# Default is 'no'. Kerberos authentication is not commonly used and
|
||||
# requires a lot of other settings, so it is disabled by default, but can be
|
||||
# set to 'yes' if desired.
|
||||
# @param [String] ssh_kerberos_or_local_passwd setting for sshd_config.
|
||||
# Default is 'no'. This setting is only relevant if Kerberos authentication is
|
||||
# enabled, and should be set to 'yes' if you want to allow local password
|
||||
# authentication as a fallback if Kerberos authentication fails, but can be
|
||||
# set to 'no' if you want to only allow Kerberos authentication.
|
||||
# @param [String] ssh_kerberos_ticket_cleanup setting for sshd_config.
|
||||
# Default is 'no'. This setting is only relevant if Kerberos authentication
|
||||
# is enabled, and should be set to 'yes' if you want to enable ticket cleanup,
|
||||
# but can be set to 'no' if you want to disable it.
|
||||
# @param [String] ssh_kerberos_get_afstoken setting for sshd_config.
|
||||
# Default is 'no'. This setting is only relevant if Kerberos authentication
|
||||
# is enabled, and should be set to 'yes' if you want to enable AFS token retrieval,
|
||||
# but can be set to 'no' if you want to disable it.
|
||||
# @param [String] ssh_kerberos_use_kuserok setting for sshd_config.
|
||||
# Default is 'no'. This setting is only relevant if Kerberos authentication
|
||||
# is enabled, and should be set to 'yes' if you want to enable userok with
|
||||
# Kerberos, but can be set to 'no' if you want to disable it.
|
||||
# @param [Boolean] ssh_use_kerberos whether to use Kerberos authentication.
|
||||
# If true, the relevant Kerberos settings will be included in the sshd_config,
|
||||
# otherwise they will be ignored.
|
||||
# @param [Boolean] ssh_use_gssapi whether to use GSSAPI authentication.
|
||||
# If true, GSSAPI authentication will be enabled in sshd_config, otherwise it
|
||||
# will be disabled. GSSAPI authentication is not commonly used and requires
|
||||
# a lot of other settings, so it is disabled by default, but can be set to
|
||||
# true if desired.
|
||||
# @param [String] ssh_gssapi_authentication setting for sshd_config.
|
||||
# Default is 'no'. This setting is only relevant if GSSAPI authentication is
|
||||
# enabled, and should be set to 'yes' if you want to enable GSS authentication,
|
||||
# but can be set to 'no' if you want to disable it.
|
||||
# @param [String] ssh_gssapi_cleanup_credentials setting for sshd_config.
|
||||
# Default is 'no'. This setting is only relevant if GSSAPI authentication is
|
||||
# enabled, and should be set to 'yes' if you want to enable GSS credential
|
||||
# cleanup, but can be set to 'no' if you want to disable it.
|
||||
# @param [String] ssh_gssapi_key_exchange setting for sshd_config.
|
||||
# Default is 'no'. This setting is only relevant if GSSAPI authentication is
|
||||
# enabled, and should be set to 'yes' if you want to enable GSS key exchange.
|
||||
# @param [String] ssh_gssapi_enablek5users setting for sshd_config.
|
||||
# Default is 'no'. This setting is only relevant if GSSAPI authentication is
|
||||
# enabled, and should be set to 'yes' if you want to enable GSSAPI for k5users.
|
||||
##############################################################################
|
||||
class confdroid_ssh::params (
|
||||
|
||||
@@ -78,7 +121,19 @@ class confdroid_ssh::params (
|
||||
String $ssh_log_level = 'INFO',
|
||||
String $ssh_password_authentication = 'no',
|
||||
String $ssh_permit_empty_passwords = 'no',
|
||||
String $ssh_kbd_interactive_auth = 'no'
|
||||
String $ssh_kbd_interactive_auth = 'no',
|
||||
Boolean $ssh_use_kerberos = false,
|
||||
String $ssh_kerberos_authentication = 'yes',
|
||||
String $ssh_kerberos_or_local_passwd = 'yes',
|
||||
String $ssh_kerberos_ticket_cleanup = 'yes',
|
||||
String $ssh_kerberos_get_afstoken = 'no',
|
||||
String $ssh_kerberos_use_kuserok = 'yes',
|
||||
Boolean $ssh_use_gssapi = false,
|
||||
String $ssh_gssapi_authentication = 'yes',
|
||||
String $ssh_gssapi_cleanup_credentials = 'yes',
|
||||
String $ssh_gssapi_key_exchange = 'no',
|
||||
String $ssh_gssapi_enablek5users = 'no',
|
||||
|
||||
|
||||
) {
|
||||
# default facts
|
||||
|
||||
@@ -32,3 +32,17 @@ PasswordAuthentication <%= @ssh_password_authentication %>
|
||||
PermitEmptyPasswords <%= @ssh_permit_empty_passwords %>
|
||||
KbdInteractiveAuthentication <%= @ssh_kbd_interactive_auth %>
|
||||
|
||||
<% if @ssh_use_kerberos -%>
|
||||
KerberosAuthentication <%= @ssh_kerberos_authentication %>
|
||||
KerberosOrLocalPasswd <%= @ssh_kerberos_or_local_passwd %>
|
||||
KerberosTicketCleanup <%= @ssh_kerberos_ticket_cleanup %>
|
||||
KerberosGetAFSToken <%= @ssh_kerberos_get_afstoken %>
|
||||
KerberosUseKuserok <%= @ssh_kerberos_use_kuserok %>
|
||||
<% end -%>
|
||||
|
||||
<% if @ssh_use_gssapi -%>
|
||||
GSSAPIAuthentication <%= @ssh_gssapi_authentication %>
|
||||
GSSAPICleanupCredentials <%= @ssh_gssapi_cleanup_credentials %>
|
||||
GSSAPIKeyExchange <%= @ssh_gssapi_key_exchange %>
|
||||
GSSAPIEnablek5users <%= @ssh_gssapi_enablek5users %>
|
||||
<% end -%>
|
||||
|
||||
Reference in New Issue
Block a user