Merge branch 'jenkins-build-23' into 'master'

Auto-merge for build 23

See merge request puppet/confdroid_ssh!23

doc/puppet_classes/confdroid_ssh_3A_3Aparams.html

@@ -772,6 +772,24 @@
         —
         <div class='inline'>
 <p>setting for sshd_config. Default is ‘no’. This setting is only relevant if GSSAPI authentication is enabled, and should be set to ‘yes’ if you want to enable GSSAPI for k5users.</p>
+</div>
+      
+    </li>
+  
+    <li>
+      
+        <span class='name'>ssh_use_pam</span>
+      
+      
+        <span class='type'>(<tt>String</tt>)</span>
+      
+      
+        <em class="default">(defaults to: <tt>&#39;no&#39;</tt>)</em>
+      
+      
+        &mdash;
+        <div class='inline'>
+<p>setting for sshd_config. Default is ‘no’. PAM is not commonly used for SSH authentication and can introduce security risks if not configured properly, so it is disabled by default. Thi setting is related to PasswordAuthentication and KbdInteractiveAuthentication, and should be set to ‘yes’ only if you want to use PAM for authentication together with those settings.</p>
 </div>
       
     </li>
@@ -787,12 +805,6 @@
         <pre class="lines">
 
 
-93
-94
-95
-96
-97
-98
 99
 100
 101
@@ -852,10 +864,16 @@
 155
 156
 157
-158</pre>
+158
+159
+160
+161
+162
+163
+164</pre>
       </td>
       <td>
-        <pre class="code"><span class="info file"># File 'manifests/params.pp', line 93</span>
+        <pre class="code"><span class="info file"># File 'manifests/params.pp', line 99</span>
 
 class confdroid_ssh::params (
 
@@ -900,7 +918,7 @@ class confdroid_ssh::params (
   String  $ssh_gssapi_cleanup_credentials   = &#39;yes&#39;,
   String  $ssh_gssapi_key_exchange          = &#39;no&#39;,
   String  $ssh_gssapi_enablek5users         = &#39;no&#39;,
-
+  String  $ssh_use_pam                      = &#39;no&#39;,
 
 ) {
 # default facts

manifests/params.pp

@@ -89,6 +89,12 @@
 # @param [String] ssh_gssapi_enablek5users setting for sshd_config.
 #   Default is 'no'. This setting is only relevant if GSSAPI authentication is 
 #   enabled, and should be set to 'yes' if you want to enable GSSAPI for k5users.
+# @param [String] ssh_use_pam setting for sshd_config. Default is 'no'. PAM is not
+#   commonly used for SSH authentication and can introduce security risks if 
+#   not configured properly, so it is disabled by default. Thi setting is 
+#   related to PasswordAuthentication and KbdInteractiveAuthentication, and 
+#   should be set to 'yes' only if you want to use PAM for authentication 
+#   together with those settings.
 ##############################################################################
 class confdroid_ssh::params (
 
@@ -133,7 +139,7 @@ class confdroid_ssh::params (
   String  $ssh_gssapi_cleanup_credentials   = 'yes',
   String  $ssh_gssapi_key_exchange          = 'no',
   String  $ssh_gssapi_enablek5users         = 'no',
-
+  String  $ssh_use_pam                      = 'no',
 
 ) {
 # default facts

templates/sshd_custom_conf.erb

@@ -31,6 +31,7 @@ AuthorizedKeysCommandUser <%= @ssh_authorized_keys_command_user %>
 PasswordAuthentication <%= @ssh_password_authentication %>
 PermitEmptyPasswords <%= @ssh_permit_empty_passwords %>
 KbdInteractiveAuthentication <%= @ssh_kbd_interactive_auth %>
+UsePAM <%= @ssh_use_pam %>
 
 <% if @ssh_use_kerberos -%>
 KerberosAuthentication <%= @ssh_kerberos_authentication %>