setting for sshd_config. Default is ‘no’. This setting is only relevant if GSSAPI authentication is enabled, and should be set to ‘yes’ if you want to enable GSSAPI for k5users.
+setting for sshd_config. Default is ‘no’. PAM is not commonly used for SSH authentication and can introduce security risks if not configured properly, so it is disabled by default. Thi setting is related to PasswordAuthentication and KbdInteractiveAuthentication, and should be set to ‘yes’ only if you want to use PAM for authentication together with those settings.
-93 -94 -95 -96 -97 -98 99 100 101 @@ -852,10 +864,16 @@ 155 156 157 -158+158 +159 +160 +161 +162 +163 +164
# File 'manifests/params.pp', line 93
+ # File 'manifests/params.pp', line 99
class confdroid_ssh::params (
@@ -896,11 +914,11 @@ class confdroid_ssh::params (
String $ssh_kerberos_get_afstoken = 'no',
String $ssh_kerberos_use_kuserok = 'yes',
Boolean $ssh_use_gssapi = false,
- String $ssh_gssapi_authentication = 'yes',
- String $ssh_gssapi_cleanup_credentials = 'yes',
- String $ssh_gssapi_key_exchange = 'no',
- String $ssh_gssapi_enablek5users = 'no',
-
+ String $ssh_gssapi_authentication = 'yes',
+ String $ssh_gssapi_cleanup_credentials = 'yes',
+ String $ssh_gssapi_key_exchange = 'no',
+ String $ssh_gssapi_enablek5users = 'no',
+ String $ssh_use_pam = 'no',
) {
# default facts
diff --git a/manifests/params.pp b/manifests/params.pp
index 10e9ef7..5c862f1 100644
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -89,6 +89,12 @@
# @param [String] ssh_gssapi_enablek5users setting for sshd_config.
# Default is 'no'. This setting is only relevant if GSSAPI authentication is
# enabled, and should be set to 'yes' if you want to enable GSSAPI for k5users.
+# @param [String] ssh_use_pam setting for sshd_config. Default is 'no'. PAM is not
+# commonly used for SSH authentication and can introduce security risks if
+# not configured properly, so it is disabled by default. Thi setting is
+# related to PasswordAuthentication and KbdInteractiveAuthentication, and
+# should be set to 'yes' only if you want to use PAM for authentication
+# together with those settings.
##############################################################################
class confdroid_ssh::params (
@@ -129,11 +135,11 @@ class confdroid_ssh::params (
String $ssh_kerberos_get_afstoken = 'no',
String $ssh_kerberos_use_kuserok = 'yes',
Boolean $ssh_use_gssapi = false,
- String $ssh_gssapi_authentication = 'yes',
- String $ssh_gssapi_cleanup_credentials = 'yes',
- String $ssh_gssapi_key_exchange = 'no',
- String $ssh_gssapi_enablek5users = 'no',
-
+ String $ssh_gssapi_authentication = 'yes',
+ String $ssh_gssapi_cleanup_credentials = 'yes',
+ String $ssh_gssapi_key_exchange = 'no',
+ String $ssh_gssapi_enablek5users = 'no',
+ String $ssh_use_pam = 'no',
) {
# default facts
diff --git a/templates/sshd_custom_conf.erb b/templates/sshd_custom_conf.erb
index 01634b1..4781f08 100644
--- a/templates/sshd_custom_conf.erb
+++ b/templates/sshd_custom_conf.erb
@@ -31,6 +31,7 @@ AuthorizedKeysCommandUser <%= @ssh_authorized_keys_command_user %>
PasswordAuthentication <%= @ssh_password_authentication %>
PermitEmptyPasswords <%= @ssh_permit_empty_passwords %>
KbdInteractiveAuthentication <%= @ssh_kbd_interactive_auth %>
+UsePAM <%= @ssh_use_pam %>
<% if @ssh_use_kerberos -%>
KerberosAuthentication <%= @ssh_kerberos_authentication %>