From 0f83ed06573c10df00c5e2439d57f5d1f7f378da Mon Sep 17 00:00:00 2001 From: Mischa ter Smitten Date: Mon, 20 Jul 2015 10:49:54 +0200 Subject: [PATCH] Make KerberosGetAFSToken (and related) settings optional to prevent errors in log file Fixes #2 --- README.md | 12 ++++++------ defaults/main.yml | 6 ------ templates/etc/ssh/sshd_config.j2 | 12 ++++++++++++ 3 files changed, 18 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index b51ee7d..efdc8f9 100644 --- a/README.md +++ b/README.md @@ -34,12 +34,12 @@ None * `ssh_server_permit_empty_passwords`: [default: `false`]: When password authentication is allowed, it specifies whether the server allows login to accounts with empty password strings * `ssh_server_challenge_response_authentication`: [default: `false`]: Specifies whether challenge-response authentication is allowed (e.g. via `PAM`) * `ssh_server_password_authentication`: [default: `true`]: Specifies whether password authentication is allowed -* `ssh_server_kerberos_authentication`: [default: `false`]: Specifies whether the password provided by the user for `PasswordAuthentication` will be validated through the Kerberos KDC -* `ssh_server_kerberos_get_afs_token`: [default: `false`]: If AFS is active and the user has a Kerberos 5 TGT, attempt to acquire an AFS token before accessing the user's home directory -* `ssh_server_kerberos_or_local_passwd`: [default: `true`]: If password authentication through Kerberos fails then the password will be validated via any additional local mechanism such as `/etc/passwd` -* `ssh_server_kerberos_ticket_cleanup`: [default: `true`]: Specifies whether to automatically destroy the user's ticket cache file on logout -* `ssh_server_gssapi_authentication`: [default: `false`]: Specifies whether user authentication based on GSSAPI is allowed -* `ssh_server_gssapi_cleanup_credentials`: [default: `true`]: Specifies whether to automatically destroy the user's credentials cache on logout +* `ssh_server_kerberos_authentication`: [optional, default: `false`]: Specifies whether the password provided by the user for `PasswordAuthentication` will be validated through the Kerberos KDC +* `ssh_server_kerberos_get_afs_token`: [optional, default: `false`]: If AFS is active and the user has a Kerberos 5 TGT, attempt to acquire an AFS token before accessing the user's home directory +* `ssh_server_kerberos_or_local_passwd`: [optional, default: `true`]: If password authentication through Kerberos fails then the password will be validated via any additional local mechanism such as `/etc/passwd` +* `ssh_server_kerberos_ticket_cleanup`: [optional, default: `true`]: Specifies whether to automatically destroy the user's ticket cache file on logout +* `ssh_server_gssapi_authentication`: [optional, default: `false`]: Specifies whether user authentication based on GSSAPI is allowed +* `ssh_server_gssapi_cleanup_credentials`: [optional, default: `true`]: Specifies whether to automatically destroy the user's credentials cache on logout * `ssh_server_x11_forwarding`: [default: `true`]: Specifies whether X11 forwarding is permitted * `ssh_server_x11_display_offset`: [default: `10`]: Specifies the first display number available for `sshd`'s X11 forwarding. This prevents `sshd` from interfering with real X11 servers * `ssh_server_print_motd`: [default: `false`]: Specifies whether `sshd` should print `/etc/motd` when a user logs in interactively diff --git a/defaults/main.yml b/defaults/main.yml index cdcb514..26f0e73 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -30,12 +30,6 @@ ssh_server_ignore_user_known_hosts: false ssh_server_permit_empty_passwords: false ssh_server_challenge_response_authentication: false ssh_server_password_authentication: true -ssh_server_kerberos_authentication: false -ssh_server_kerberos_get_afs_token: false -ssh_server_kerberos_or_local_passwd: true -ssh_server_kerberos_ticket_cleanup: true -ssh_server_gssapi_authentication: false -ssh_server_gssapi_cleanup_credentials: true ssh_server_x11_forwarding: true ssh_server_x11_display_offset: 10 ssh_server_print_motd: false diff --git a/templates/etc/ssh/sshd_config.j2 b/templates/etc/ssh/sshd_config.j2 index 5077e62..5669784 100644 --- a/templates/etc/ssh/sshd_config.j2 +++ b/templates/etc/ssh/sshd_config.j2 @@ -56,14 +56,26 @@ ChallengeResponseAuthentication {{ 'yes' if ssh_server_challenge_response_authen PasswordAuthentication {{ 'yes' if ssh_server_password_authentication else 'no' }} # Kerberos options +{% if ssh_server_kerberos_authentication is defined %} KerberosAuthentication {{ 'yes' if ssh_server_kerberos_authentication else 'no' }} +{% endif %} +{% if ssh_server_kerberos_get_afs_token is defined %} KerberosGetAFSToken {{ 'yes' if ssh_server_kerberos_get_afs_token else 'no' }} +{% endif %} +{% if ssh_server_kerberos_or_local_passwd is defined %} KerberosOrLocalPasswd {{ 'yes' if ssh_server_kerberos_or_local_passwd else 'no' }} +{% endif %} +{% if ssh_server_kerberos_ticket_cleanup is defined %} KerberosTicketCleanup {{ 'yes' if ssh_server_kerberos_ticket_cleanup else 'no' }} +{% endif %} # GSSAPI options +{% if ssh_server_gssapi_authentication is defined %} GSSAPIAuthentication {{ 'yes' if ssh_server_gssapi_authentication else 'no' }} +{% endif %} +{% if ssh_server_gssapi_cleanup_credentials is defined %} GSSAPICleanupCredentials {{ 'yes' if ssh_server_gssapi_cleanup_credentials else 'no' }} +{% endif %} X11Forwarding {{ 'yes' if ssh_server_x11_forwarding else 'no' }} X11DisplayOffset {{ ssh_server_x11_display_offset }}