From c8139772a2d7c49abc39a0dfe25ae2924c256828 Mon Sep 17 00:00:00 2001
From: 12ww1160 <12ww1160@confdroid.com>
Date: Mon, 13 Apr 2026 15:00:24 +0200
Subject: [PATCH 1/2] OP#575 add kerberos and gssapi sections am PAM

---
 manifests/params.pp            | 16 +++++++++++-----
 templates/sshd_custom_conf.erb |  1 +
 2 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/manifests/params.pp b/manifests/params.pp
index 10e9ef7..5c862f1 100644
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -89,6 +89,12 @@
 # @param [String] ssh_gssapi_enablek5users setting for sshd_config.
 #   Default is 'no'. This setting is only relevant if GSSAPI authentication is 
 #   enabled, and should be set to 'yes' if you want to enable GSSAPI for k5users.
+# @param [String] ssh_use_pam setting for sshd_config. Default is 'no'. PAM is not
+#   commonly used for SSH authentication and can introduce security risks if 
+#   not configured properly, so it is disabled by default. Thi setting is 
+#   related to PasswordAuthentication and KbdInteractiveAuthentication, and 
+#   should be set to 'yes' only if you want to use PAM for authentication 
+#   together with those settings.
 ##############################################################################
 class confdroid_ssh::params (
 
@@ -129,11 +135,11 @@ class confdroid_ssh::params (
   String  $ssh_kerberos_get_afstoken        = 'no',
   String  $ssh_kerberos_use_kuserok         = 'yes',
   Boolean $ssh_use_gssapi                   = false,
-  String  $ssh_gssapi_authentication         = 'yes',
-  String  $ssh_gssapi_cleanup_credentials    = 'yes',
-  String  $ssh_gssapi_key_exchange           = 'no',
-  String  $ssh_gssapi_enablek5users          = 'no',
-
+  String  $ssh_gssapi_authentication        = 'yes',
+  String  $ssh_gssapi_cleanup_credentials   = 'yes',
+  String  $ssh_gssapi_key_exchange          = 'no',
+  String  $ssh_gssapi_enablek5users         = 'no',
+  String  $ssh_use_pam                      = 'no',
 
 ) {
 # default facts
diff --git a/templates/sshd_custom_conf.erb b/templates/sshd_custom_conf.erb
index 01634b1..4781f08 100644
--- a/templates/sshd_custom_conf.erb
+++ b/templates/sshd_custom_conf.erb
@@ -31,6 +31,7 @@ AuthorizedKeysCommandUser <%= @ssh_authorized_keys_command_user %>
 PasswordAuthentication <%= @ssh_password_authentication %>
 PermitEmptyPasswords <%= @ssh_permit_empty_passwords %>
 KbdInteractiveAuthentication <%= @ssh_kbd_interactive_auth %>
+UsePAM <%= @ssh_use_pam %>
 
 <% if @ssh_use_kerberos -%>
 KerberosAuthentication <%= @ssh_kerberos_authentication %>

From a648676a517363e1fa9733866957b96d7a5af6b7 Mon Sep 17 00:00:00 2001
From: Jenkins Server <jenkins@confdroid.com>
Date: Mon, 13 Apr 2026 15:01:32 +0200
Subject: [PATCH 2/2] Recommit for updates in build 23

---
 .../confdroid_ssh_3A_3Aparams.html            | 44 +++++++++++++------
 1 file changed, 31 insertions(+), 13 deletions(-)

diff --git a/doc/puppet_classes/confdroid_ssh_3A_3Aparams.html b/doc/puppet_classes/confdroid_ssh_3A_3Aparams.html
index 5feebb8..db161d4 100644
--- a/doc/puppet_classes/confdroid_ssh_3A_3Aparams.html
+++ b/doc/puppet_classes/confdroid_ssh_3A_3Aparams.html
@@ -772,6 +772,24 @@
         &mdash;
         <div class='inline'>
 <p>setting for sshd_config. Default is ‘no’. This setting is only relevant if GSSAPI authentication is enabled, and should be set to ‘yes’ if you want to enable GSSAPI for k5users.</p>
+</div>
+      
+    </li>
+  
+    <li>
+      
+        <span class='name'>ssh_use_pam</span>
+      
+      
+        <span class='type'>(<tt>String</tt>)</span>
+      
+      
+        <em class="default">(defaults to: <tt>&#39;no&#39;</tt>)</em>
+      
+      
+        &mdash;
+        <div class='inline'>
+<p>setting for sshd_config. Default is ‘no’. PAM is not commonly used for SSH authentication and can introduce security risks if not configured properly, so it is disabled by default. Thi setting is related to PasswordAuthentication and KbdInteractiveAuthentication, and should be set to ‘yes’ only if you want to use PAM for authentication together with those settings.</p>
 </div>
       
     </li>
@@ -787,12 +805,6 @@
         <pre class="lines">
 
 
-93
-94
-95
-96
-97
-98
 99
 100
 101
@@ -852,10 +864,16 @@
 155
 156
 157
-158</pre>
+158
+159
+160
+161
+162
+163
+164</pre>
       </td>
       <td>
-        <pre class="code"><span class="info file"># File 'manifests/params.pp', line 93</span>
+        <pre class="code"><span class="info file"># File 'manifests/params.pp', line 99</span>
 
 class confdroid_ssh::params (
 
@@ -896,11 +914,11 @@ class confdroid_ssh::params (
   String  $ssh_kerberos_get_afstoken        = &#39;no&#39;,
   String  $ssh_kerberos_use_kuserok         = &#39;yes&#39;,
   Boolean $ssh_use_gssapi                   = false,
-  String  $ssh_gssapi_authentication         = &#39;yes&#39;,
-  String  $ssh_gssapi_cleanup_credentials    = &#39;yes&#39;,
-  String  $ssh_gssapi_key_exchange           = &#39;no&#39;,
-  String  $ssh_gssapi_enablek5users          = &#39;no&#39;,
-
+  String  $ssh_gssapi_authentication        = &#39;yes&#39;,
+  String  $ssh_gssapi_cleanup_credentials   = &#39;yes&#39;,
+  String  $ssh_gssapi_key_exchange          = &#39;no&#39;,
+  String  $ssh_gssapi_enablek5users         = &#39;no&#39;,
+  String  $ssh_use_pam                      = &#39;no&#39;,
 
 ) {
 # default facts