diff --git a/manifests/params.pp b/manifests/params.pp index 10e9ef7..5c862f1 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -89,6 +89,12 @@ # @param [String] ssh_gssapi_enablek5users setting for sshd_config. # Default is 'no'. This setting is only relevant if GSSAPI authentication is # enabled, and should be set to 'yes' if you want to enable GSSAPI for k5users. +# @param [String] ssh_use_pam setting for sshd_config. Default is 'no'. PAM is not +# commonly used for SSH authentication and can introduce security risks if +# not configured properly, so it is disabled by default. Thi setting is +# related to PasswordAuthentication and KbdInteractiveAuthentication, and +# should be set to 'yes' only if you want to use PAM for authentication +# together with those settings. ############################################################################## class confdroid_ssh::params ( @@ -129,11 +135,11 @@ class confdroid_ssh::params ( String $ssh_kerberos_get_afstoken = 'no', String $ssh_kerberos_use_kuserok = 'yes', Boolean $ssh_use_gssapi = false, - String $ssh_gssapi_authentication = 'yes', - String $ssh_gssapi_cleanup_credentials = 'yes', - String $ssh_gssapi_key_exchange = 'no', - String $ssh_gssapi_enablek5users = 'no', - + String $ssh_gssapi_authentication = 'yes', + String $ssh_gssapi_cleanup_credentials = 'yes', + String $ssh_gssapi_key_exchange = 'no', + String $ssh_gssapi_enablek5users = 'no', + String $ssh_use_pam = 'no', ) { # default facts diff --git a/templates/sshd_custom_conf.erb b/templates/sshd_custom_conf.erb index 01634b1..4781f08 100644 --- a/templates/sshd_custom_conf.erb +++ b/templates/sshd_custom_conf.erb @@ -31,6 +31,7 @@ AuthorizedKeysCommandUser <%= @ssh_authorized_keys_command_user %> PasswordAuthentication <%= @ssh_password_authentication %> PermitEmptyPasswords <%= @ssh_permit_empty_passwords %> KbdInteractiveAuthentication <%= @ssh_kbd_interactive_auth %> +UsePAM <%= @ssh_use_pam %> <% if @ssh_use_kerberos -%> KerberosAuthentication <%= @ssh_kerberos_authentication %>