Split off ssh_gssapi_delegation into own variable

dev-sec · Feb 14, 2021 · d2ae204 · d2ae204
1 parent 8baab75
commit d2ae204
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 3 deletions.
diff --git a/roles/ssh_hardening/README.md b/roles/ssh_hardening/README.md
@@ -76,7 +76,10 @@ Warning: This role disables root-login on the target server! Please make sure yo
   - Description: false to disable pam authentication.
 - `ssh_gssapi_support`
   - Default: `false`
-  - Description: true if SSH has GSSAPI support.
+  - Description: Set to true to enable GSSAPI authentication (both client and server).
+- `ssh_gssapi_delegation`
+  - Default: `false`
+  - Description: Set to true to enable GSSAPI credential forwarding.
 - `ssh_kerberos_support`
   - Default: `true`
   - Description: true if SSH has Kerberos support.

diff --git a/roles/ssh_hardening/templates/openssh.conf.j2 b/roles/ssh_hardening/templates/openssh.conf.j2
@@ -104,8 +104,8 @@ RSAAuthentication yes
 PasswordAuthentication {{ 'yes' if ssh_client_password_login else 'no' }}
 
 # Only use GSSAPIAuthentication if implemented on the network.
-GSSAPIAuthentication {{ 'yes' if ssh_gssapi_support else 'no' }}
-GSSAPIDelegateCredentials {{ 'yes' if ssh_gssapi_support else 'no' }}
+GSSAPIAuthentication {{ 'yes' if (ssh_gssapi_support|bool) else 'no' }}
+GSSAPIDelegateCredentials {{ 'yes' if (ssh_gssapi_delegation|bool) else 'no' }}
 
 # Disable tunneling
 Tunnel no