Merge remote branch 'shared/master'

Conflicts:
	templates/sshd_config/Debian_squeeze.erb

I always picked the shared repository version when conflicts arose.
The only exception to this rule was:
I kept my branch's "HostbasedUsesNameFromPacketOnly yes" in order
to be consistent with existing Etch and Lenny templates.
This is not the default Debian setting, but I would find it weird if a host
had this setting changed by Puppet after upgrading to Squeeze.
The right way to proceed would probably be to make this configurable.

2 files changed, 70 insertions, 14 deletions

diff --git a/manifests/init.pp b/manifests/init.pp
index 06290a8..76ee107 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -76,7 +76,31 @@
 # sshd_password_authentication: If you want to enable password authentication or not
 #                               Valid values: yes or no
 #                               Default: no
-#				
+#
+# sshd_kerberos_authentication: If you want the password that is provided by the user to be
+#                               validated through the Kerberos KDC. To use this option the
+#                               server needs a Kerberos servtab which allows the verification of
+#                               the KDC's identity.
+#                               Valid values: yes or no
+#                               Default: no
+#
+# sshd_kerberos_orlocalpasswd:  If password authentication through Kerberos fails, then the password
+#                               will be validated via any additional local mechanism.
+#                               Valid values: yes or no
+#                               Default: yes
+#
+# sshd_kerberos_ticketcleanup:  Destroy the user's ticket cache file on logout?
+#                               Valid values: yes or no
+#                               Default: yes
+#
+# sshd_gssapi_authentication:   Authenticate users based on GSSAPI?
+#                               Valid values: yes or no
+#                               Default: no
+#
+# sshd_gssapi_cleanupcredentials: Destroy user's credential cache on logout?
+#                                 Valid values: yes or no
+#                                 Default: yes
+#
 # sshd_challenge_response_authentication: If you want to enable ChallengeResponseAuthentication or not
 # 				When disabled, s/key passowords are disabled
 # 				Valid values: yes or no
@@ -163,6 +187,21 @@ class sshd {
   case $sshd_password_authentication {
     '': { $sshd_password_authentication = 'no' }
   }
+  case $sshd_kerberos_authentication {
+    '': { $sshd_kerberos_authentication = 'no' }
+  }
+  case $sshd_kerberos_orlocalpasswd {
+    '': { $sshd_kerberos_orlocalpasswd = 'yes' }
+  }
+  case $sshd_kerberos_ticketcleanup {
+    '': { $sshd_kerberos_ticketcleanup = 'yes' }
+  }
+  case $sshd_gssapi_authentication {
+    '': { $sshd_gssapi_authentication = 'no' }
+  }
+  case $sshd_gssapi_cleanupcredentials {
+    '': { $sshd_gssapi_cleanupcredentials = 'yes' }
+  }
   case $sshd_tcp_forwarding {
     '': { $sshd_tcp_forwarding = 'no' }
   }
diff --git a/templates/sshd_config/Debian_squeeze.erb b/templates/sshd_config/Debian_squeeze.erb
index 950a53c..79fef15 100644
--- a/templates/sshd_config/Debian_squeeze.erb
+++ b/templates/sshd_config/Debian_squeeze.erb
@@ -1,5 +1,7 @@
+# This file is managed by Puppet, all local modifications will be overwritten
+#
 # Package generated configuration file
-# See the sshd_config(5) manpage for details
+# See the sshd(8) manpage for details
 
 <%- unless sshd_head_additional_options.to_s.empty? then %>
 <%= sshd_head_additional_options %>
@@ -71,21 +73,18 @@ IgnoreRhosts yes
 <%- else -%>
 IgnoreRhosts no
 <% end -%>
-
 # For this to work you will also need host keys in /etc/ssh_known_hosts
 <%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then -%>
 RhostsRSAAuthentication yes
 <%- else -%>
 RhostsRSAAuthentication no
 <% end -%>
-
 # similar for protocol version 2
 <%- if sshd_hostbased_authentication.to_s == 'yes' then -%>
 HostbasedAuthentication yes
 <%- else -%>
 HostbasedAuthentication no
 <% end -%>
-
 # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
 #IgnoreUserKnownHosts yes
 
@@ -104,7 +103,7 @@ ChallengeResponseAuthentication yes
 ChallengeResponseAuthentication no
 <%- end -%>
 
-# Change to no to disable tunnelled clear text passwords
+# To disable tunneled clear text passwords, change to no here!
 <%- if sshd_password_authentication.to_s == 'yes' then -%>
 PasswordAuthentication yes
 <%- else -%>
@@ -112,14 +111,33 @@ PasswordAuthentication no
 <%- end -%>
 
 # Kerberos options
-#KerberosAuthentication no
-#KerberosGetAFSToken no
-#KerberosOrLocalPasswd yes
-#KerberosTicketCleanup yes
+<%- if sshd_kerberos_authentication.to_s == 'yes' then -%>
+KerberosAuthentication yes
+<%- else -%>
+KerberosAuthentication no
+<%- end -%>
+<%- if sshd_kerberos_orlocalpasswd.to_s == 'yes' then -%>
+KerberosOrLocalPasswd yes
+<%- else -%>
+KerberosOrLocalPasswd no
+<%- end -%>
+<%- if sshd_kerberos_ticketcleanup.to_s == 'yes' then -%>
+KerberosTicketCleanup yes
+<%- else -%>
+KerberosTicketCleanup no
+<%- end -%>
 
 # GSSAPI options
-#GSSAPIAuthentication no
-#GSSAPICleanupCredentials yes
+<%- if sshd_gssapi_authentication.to_s == 'yes' then -%>
+GSSAPIAuthentication yes
+<%- else -%>
+GSSAPIAuthentication no
+<%- end -%>
+<%- if sshd_gssapi_authentication.to_s == 'yes' then -%>
+GSSAPICleanupCredentials yes
+<%- else -%>
+GSSAPICleanupCredentials yes
+<%- end -%>
 
 <%- if sshd_x11_forwarding.to_s == 'yes' then -%>
 X11Forwarding yes
@@ -130,6 +148,7 @@ X11DisplayOffset 10
 PrintMotd no
 PrintLastLog yes
 TCPKeepAlive yes
+
 #UseLogin no
 
 #MaxStartups 10:30:60
@@ -173,8 +192,6 @@ AllowAgentForwarding yes
 AllowAgentForwarding no
 <%- end -%>
 
-ChallengeResponseAuthentication no
-
 <%- unless sshd_allowed_users.to_s.empty? then -%>
 AllowUsers <%= sshd_allowed_users -%>
 <%- end -%>