OP#575 add kerberos and gssapi sections am PAM

manifests/params.pp

@@ -89,6 +89,12 @@
 # @param [String] ssh_gssapi_enablek5users setting for sshd_config.
 #   Default is 'no'. This setting is only relevant if GSSAPI authentication is 
 #   enabled, and should be set to 'yes' if you want to enable GSSAPI for k5users.
+# @param [String] ssh_use_pam setting for sshd_config. Default is 'no'. PAM is not
+#   commonly used for SSH authentication and can introduce security risks if 
+#   not configured properly, so it is disabled by default. Thi setting is 
+#   related to PasswordAuthentication and KbdInteractiveAuthentication, and 
+#   should be set to 'yes' only if you want to use PAM for authentication 
+#   together with those settings.
 ##############################################################################
 class confdroid_ssh::params (
 
@@ -129,11 +135,11 @@ class confdroid_ssh::params (
   String  $ssh_kerberos_get_afstoken        = 'no',
   String  $ssh_kerberos_use_kuserok         = 'yes',
   Boolean $ssh_use_gssapi                   = false,
-  String  $ssh_gssapi_authentication         = 'yes',
-  String  $ssh_gssapi_cleanup_credentials    = 'yes',
-  String  $ssh_gssapi_key_exchange           = 'no',
-  String  $ssh_gssapi_enablek5users          = 'no',
-
+  String  $ssh_gssapi_authentication        = 'yes',
+  String  $ssh_gssapi_cleanup_credentials   = 'yes',
+  String  $ssh_gssapi_key_exchange          = 'no',
+  String  $ssh_gssapi_enablek5users         = 'no',
+  String  $ssh_use_pam                      = 'no',
 
 ) {
 # default facts

templates/sshd_custom_conf.erb

@@ -31,6 +31,7 @@ AuthorizedKeysCommandUser <%= @ssh_authorized_keys_command_user %>
 PasswordAuthentication <%= @ssh_password_authentication %>
 PermitEmptyPasswords <%= @ssh_permit_empty_passwords %>
 KbdInteractiveAuthentication <%= @ssh_kbd_interactive_auth %>
+UsePAM <%= @ssh_use_pam %>
 
 <% if @ssh_use_kerberos -%>
 KerberosAuthentication <%= @ssh_kerberos_authentication %>