From 72e24df3b6abbd28dccc8d3fb9a240a62220cdfe Mon Sep 17 00:00:00 2001
From: Micah Anderson <micah@riseup.net>
Date: Tue, 14 Dec 2010 13:22:43 -0500
Subject: add Debian Squeeze sshd template. Enabled kerberos and gssapi
 options, using the defaults when not specified

---
 manifests/init.pp | 49 ++++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 48 insertions(+), 1 deletion(-)

(limited to 'manifests/init.pp')

diff --git a/manifests/init.pp b/manifests/init.pp
index 4f82542..002b927 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -76,7 +76,36 @@
 # sshd_password_authentication: If you want to enable password authentication or not
 #                               Valid values: yes or no
 #                               Default: no
-#				
+#
+# sshd_kerberos_authentication: If you want the password that is provided by the user to be
+#                               validated through the Kerberos KDC. To use this option the
+#                               server needs a Kerberos servtab which allows the verification of
+#                               the KDC's identity.
+#                               Valid values: yes or no
+#                               Default: no
+#
+# sshd_kerberos_getafstoken:    If AFS is active and user has a Kerberos 5 TGT, attempt to
+#                               acquire an AFS token before accessing the user's home directory.
+#                               Valid values: yes or no
+#                               Default: no
+#
+# sshd_kerberos_orlocalpasswd:  If password authentication through Kerberos fails, then the password
+#                               will be validated via any additional local mechanism.
+#                               Valid values: yes or no
+#                               Default: yes
+#
+# sshd_kerberos_ticketcleanup:  Destroy the user's ticket cache file on logout?
+#                               Valid values: yes or no
+#                               Default: yes
+#
+# sshd_gssapi_authentication:   Authenticate users based on GSSAPI?
+#                               Valid values: yes or no
+#                               Default: no
+#
+# sshd_gssapi_cleanupcredentials: Destroy user's credential cache on logout?
+#                                 Valid values: yes or no
+#                                 Default: yes
+#
 # sshd_challenge_response_authentication: If you want to enable ChallengeResponseAuthentication or not
 # 				When disabled, s/key passowords are disabled
 # 				Valid values: yes or no
@@ -160,6 +189,24 @@ class sshd {
   case $sshd_password_authentication {
     '': { $sshd_password_authentication = 'no' }
   }
+  case $sshd_kerberos_authentication {
+    '': { $sshd_kerberos_authentication = 'no' }
+  }
+  case $sshd_kerberos_getafstoken {
+    '': { $sshd_kerberos_getafstoken = 'no' }
+  }
+  case $sshd_kerberos_orlocalpasswd {
+    '': { $sshd_kerberos_orlocalpasswd = 'yes' }
+  }
+  case $sshd_kerberos_ticketcleanup {
+    '': { $sshd_kerberos_ticketcleanup = 'yes' }
+  }
+  case $sshd_gssapi_authentication {
+    '': { $sshd_gssapi_authentication = 'no' }
+  }
+  case $sshd_gssapi_cleanupcredentials {
+    '': { $sshd_gssapi_cleanupcredentials = 'yes' }
+  }
   case $sshd_tcp_forwarding {
     '': { $sshd_tcp_forwarding = 'no' }
   }
-- 
cgit v1.2.3


From 0ec0562257a0a0bde04c149f323c47632071005c Mon Sep 17 00:00:00 2001
From: Micah Anderson <micah@riseup.net>
Date: Wed, 15 Dec 2010 20:38:07 -0500
Subject: remote KerberosGetAFSToken, its actually not a functional
 configuration option, even though it is listed in the man page, and commented
 out in the default config file. I filed a bug with debian (#607238)

---
 manifests/init.pp                        | 8 --------
 templates/sshd_config/Debian_squeeze.erb | 5 -----
 2 files changed, 13 deletions(-)

(limited to 'manifests/init.pp')

diff --git a/manifests/init.pp b/manifests/init.pp
index 002b927..90b7c64 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -84,11 +84,6 @@
 #                               Valid values: yes or no
 #                               Default: no
 #
-# sshd_kerberos_getafstoken:    If AFS is active and user has a Kerberos 5 TGT, attempt to
-#                               acquire an AFS token before accessing the user's home directory.
-#                               Valid values: yes or no
-#                               Default: no
-#
 # sshd_kerberos_orlocalpasswd:  If password authentication through Kerberos fails, then the password
 #                               will be validated via any additional local mechanism.
 #                               Valid values: yes or no
@@ -192,9 +187,6 @@ class sshd {
   case $sshd_kerberos_authentication {
     '': { $sshd_kerberos_authentication = 'no' }
   }
-  case $sshd_kerberos_getafstoken {
-    '': { $sshd_kerberos_getafstoken = 'no' }
-  }
   case $sshd_kerberos_orlocalpasswd {
     '': { $sshd_kerberos_orlocalpasswd = 'yes' }
   }
diff --git a/templates/sshd_config/Debian_squeeze.erb b/templates/sshd_config/Debian_squeeze.erb
index 9f91c16..cfdd291 100644
--- a/templates/sshd_config/Debian_squeeze.erb
+++ b/templates/sshd_config/Debian_squeeze.erb
@@ -117,11 +117,6 @@ KerberosAuthentication yes
 <%- else -%>
 KerberosAuthentication no
 <%- end -%>
-<%- if sshd_kerberos_getafstoken.to_s == 'yes' then -%>
-KerberosGetAFSToken yes
-<%- else -%>
-KerberosGetAFSToken no
-<%- end -%>
 <%- if sshd_kerberos_orlocalpasswd.to_s == 'yes' then -%>
 KerberosOrLocalPasswd yes
 <%- else -%>
-- 
cgit v1.2.3