From 44b50a8c39035d692d97cfdd786dae4df6d46c76 Mon Sep 17 00:00:00 2001
From: Joshua Hoblitt <josh@hoblitt.com>
Date: Wed, 7 Sep 2022 17:51:29 -0700
Subject: [PATCH] (profile::util::keytab) make TGT non-forwardable

Generally, we want to allow ssh between 2 pair of hosts only. We don't
not want the TGT to be reusable to make another hop from the destination
host.  If additional access from the destination ssh host is needed, a
role user TGT should also be present on the destination host.
---
 site/profile/manifests/util/keytab.pp | 2 +-
 spec/defines/util/keytab_spec.rb      | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/site/profile/manifests/util/keytab.pp b/site/profile/manifests/util/keytab.pp
index ba066db5ff..385a6d6ce4 100644
--- a/site/profile/manifests/util/keytab.pp
+++ b/site/profile/manifests/util/keytab.pp
@@ -33,7 +33,7 @@
   }
 
   cron { 'k5start_root':
-    command => "/usr/bin/k5start -f ${keytab_path} -U -o ${uid} -k /tmp/krb5cc_${uid} -H 60 > /dev/null 2>&1",
+    command => "/usr/bin/k5start -f ${keytab_path} -U -o ${uid} -k /tmp/krb5cc_${uid} -H 60 -F > /dev/null 2>&1",
     user    => 'root',
     minute  => '*/1',
     require => File[$keytab_path],
diff --git a/spec/defines/util/keytab_spec.rb b/spec/defines/util/keytab_spec.rb
index b02636f271..df11adad06 100644
--- a/spec/defines/util/keytab_spec.rb
+++ b/spec/defines/util/keytab_spec.rb
@@ -33,7 +33,7 @@
 
       it do
         is_expected.to contain_cron('k5start_root').with(
-          command: '/usr/bin/k5start -f /home/foo/.keytab -U -o 123 -k /tmp/krb5cc_123 -H 60 > /dev/null 2>&1',
+          command: '/usr/bin/k5start -f /home/foo/.keytab -U -o 123 -k /tmp/krb5cc_123 -H 60 -F > /dev/null 2>&1',
         )
       end