diff --git a/Jenkinsfile b/Jenkinsfile deleted file mode 100644 index ff0a9cd..0000000 --- a/Jenkinsfile +++ /dev/null @@ -1,129 +0,0 @@ -pipeline { - agent { - label 'puppet' - } - - post { - always { - deleteDir() /* clean up our workspace */ - } - success { - updateGitlabCommitStatus state: 'success' - } - failure { - updateGitlabCommitStatus state: 'failed' - step([$class: 'Mailer', notifyEveryUnstableBuild: true, recipients: 'support@confdroid.com', sendToIndividuals: true]) - } - } - - options { - gitLabConnection('gitlab.confdroid.com') - } - - stages { - - stage('pull master') { - steps { - sshagent(['edd05eb6-26b5-4c7b-a5cc-ea2ab899f4fa']) { - sh ''' - git config user.name "Jenkins Server" - git config user.email jenkins@confdroid.com - # Ensure we're on the development branch (triggered by push) - git checkout development - # Create jenkins branch from development - git checkout -b jenkins-build-$BUILD_NUMBER - # Optionally merge master into jenkins to ensure compatibility - git merge origin/master --no-ff || { echo "Merge conflict detected"; exit 1; } - ''' - } - } - } - - stage('puppet parser') { - steps { - sh '''for file in $(find . -iname \'*.pp\'); do - /opt/puppetlabs/bin/puppet parser validate --color false --render-as s --modulepath=modules $file || exit 1; - done;''' - } - } - - stage('check templates') { - steps{ - sh '''for file in $(find . -iname \'*.erb\'); - do erb -P -x -T "-" $file | ruby -c || exit 1; - done;''' - } - } - - stage('puppet-lint') { - steps { - sh '''/usr/local/bin/puppet-lint . \\ - --no-variable_scope-check \\ - || { echo "Puppet lint failed"; exit 1; } - ''' - } - } - - stage('SonarScan') { - steps { - withCredentials([string(credentialsId: 'sonar-token', variable: 'SONAR_TOKEN')]) { - sh ''' - /opt/sonar-scanner/bin/sonar-scanner \ - -Dsonar.projectKey=confdroid_ssh \ - -Dsonar.sources=. \ - -Dsonar.host.url=https://sonarqube.confdroid.com \ - -Dsonar.token=$SONAR_TOKEN - ''' - } - } - } - - stage('create Puppet documentation') { - steps { - sh '/opt/puppetlabs/bin/puppet strings' - } - } - - stage('update repo') { - steps { - sshagent(['edd05eb6-26b5-4c7b-a5cc-ea2ab899f4fa']) { - sh ''' - git config user.name "Jenkins Server" - git config user.email jenkins@confdroid.com - git add -A && git commit -am "Recommit for updates in build $BUILD_NUMBER" || echo "No changes to commit" - git push -o merge_request.create \ - -o merge_request.target=master \ - -o merge_request.title="Auto-merge for build $BUILD_NUMBER" \ - -o merge_request.description="Automated changes from Jenkins build $BUILD_NUMBER" \ - -o merge_request.merge_when_pipeline_succeeds=true \ - origin jenkins-build-$BUILD_NUMBER - ''' - } - } - } - stage('Mirror to Gitea') { - steps { - withCredentials([usernamePassword( - credentialsId: 'Jenkins-gitea', - usernameVariable: 'GITEA_USER', - passwordVariable: 'GITEA_TOKEN')]) { - script { - // Checkout from GitLab (already done implicitly) - sh ''' - git checkout master - git pull origin master - git branch -D development - git branch -D jenkins-build-$BUILD_NUMBER - git rm -f Jenkinsfile - git rm -r --cached .vscode || echo "No .vscode to remove from git" - git commit --amend --no-edit --allow-empty - git remote add master https://sourcecode.confdroid.com/confdroid/confdroid_ssh.git - git -c credential.helper="!f() { echo username=${GITEA_USER}; echo password=${GITEA_TOKEN}; }; f" \ - push master --mirror - ''' - } - } - } - } - } -} \ No newline at end of file diff --git a/doc/puppet_classes/confdroid_ssh_3A_3Aparams.html b/doc/puppet_classes/confdroid_ssh_3A_3Aparams.html index 5feebb8..db161d4 100644 --- a/doc/puppet_classes/confdroid_ssh_3A_3Aparams.html +++ b/doc/puppet_classes/confdroid_ssh_3A_3Aparams.html @@ -772,6 +772,24 @@ —

setting for sshd_config. Default is ‘no’. This setting is only relevant if GSSAPI authentication is enabled, and should be set to ‘yes’ if you want to enable GSSAPI for k5users.

+
+ + + +
  • + + ssh_use_pam + + + (String) + + + (defaults to: 'no') + + + — +
    +

    setting for sshd_config. Default is ‘no’. PAM is not commonly used for SSH authentication and can introduce security risks if not configured properly, so it is disabled by default. Thi setting is related to PasswordAuthentication and KbdInteractiveAuthentication, and should be set to ‘yes’ only if you want to use PAM for authentication together with those settings.

    • @@ -787,12 +805,6 @@ 
     
 
-93
-94
-95
-96
-97
-98
 99
 100
 101
@@ -852,10 +864,16 @@
 155
 156
 157
-158
    +158 +159 +160 +161 +162 +163 +164 - 
    # File 'manifests/params.pp', line 93
+        
    # File 'manifests/params.pp', line 99
 
 class confdroid_ssh::params (
 
@@ -896,11 +914,11 @@ class confdroid_ssh::params (
   String  $ssh_kerberos_get_afstoken        = 'no',
   String  $ssh_kerberos_use_kuserok         = 'yes',
   Boolean $ssh_use_gssapi                   = false,
-  String  $ssh_gssapi_authentication         = 'yes',
-  String  $ssh_gssapi_cleanup_credentials    = 'yes',
-  String  $ssh_gssapi_key_exchange           = 'no',
-  String  $ssh_gssapi_enablek5users          = 'no',
-
+  String  $ssh_gssapi_authentication        = 'yes',
+  String  $ssh_gssapi_cleanup_credentials   = 'yes',
+  String  $ssh_gssapi_key_exchange          = 'no',
+  String  $ssh_gssapi_enablek5users         = 'no',
+  String  $ssh_use_pam                      = 'no',
 
 ) {
 # default facts
diff --git a/manifests/params.pp b/manifests/params.pp
index 10e9ef7..5c862f1 100644
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -89,6 +89,12 @@
 # @param [String] ssh_gssapi_enablek5users setting for sshd_config.
 #   Default is 'no'. This setting is only relevant if GSSAPI authentication is 
 #   enabled, and should be set to 'yes' if you want to enable GSSAPI for k5users.
+# @param [String] ssh_use_pam setting for sshd_config. Default is 'no'. PAM is not
+#   commonly used for SSH authentication and can introduce security risks if 
+#   not configured properly, so it is disabled by default. Thi setting is 
+#   related to PasswordAuthentication and KbdInteractiveAuthentication, and 
+#   should be set to 'yes' only if you want to use PAM for authentication 
+#   together with those settings.
 ##############################################################################
 class confdroid_ssh::params (
 
@@ -129,11 +135,11 @@ class confdroid_ssh::params (
   String  $ssh_kerberos_get_afstoken        = 'no',
   String  $ssh_kerberos_use_kuserok         = 'yes',
   Boolean $ssh_use_gssapi                   = false,
-  String  $ssh_gssapi_authentication         = 'yes',
-  String  $ssh_gssapi_cleanup_credentials    = 'yes',
-  String  $ssh_gssapi_key_exchange           = 'no',
-  String  $ssh_gssapi_enablek5users          = 'no',
-
+  String  $ssh_gssapi_authentication        = 'yes',
+  String  $ssh_gssapi_cleanup_credentials   = 'yes',
+  String  $ssh_gssapi_key_exchange          = 'no',
+  String  $ssh_gssapi_enablek5users         = 'no',
+  String  $ssh_use_pam                      = 'no',
 
 ) {
 # default facts
diff --git a/templates/sshd_custom_conf.erb b/templates/sshd_custom_conf.erb
index 01634b1..4781f08 100644
--- a/templates/sshd_custom_conf.erb
+++ b/templates/sshd_custom_conf.erb
@@ -31,6 +31,7 @@ AuthorizedKeysCommandUser <%= @ssh_authorized_keys_command_user %>
 PasswordAuthentication <%= @ssh_password_authentication %>
 PermitEmptyPasswords <%= @ssh_permit_empty_passwords %>
 KbdInteractiveAuthentication <%= @ssh_kbd_interactive_auth %>
+UsePAM <%= @ssh_use_pam %>
 
 <% if @ssh_use_kerberos -%>
 KerberosAuthentication <%= @ssh_kerberos_authentication %>