OpenBSD does not support GSSAPIAuthentication

... and freaks out when it is mentioned in the config files. So let's just remove the GSSAPI-stuff. Signed-off-by: Dennis Eriksen <d@ennis.no>
2024-11-10 09:14:18 +00:00 · 2022-11-08 09:12:18 +01:00 · 2022-11-08 09:12:18 +01:00 · 681898bd96
commit 681898bd96
parent e32d550e9b
2 changed files with 6 additions and 0 deletions
--- a/roles/ssh_hardening/templates/openssh.conf.j2
+++ b/roles/ssh_hardening/templates/openssh.conf.j2
@ -106,10 +106,13 @@ RSAAuthentication yes
 # Disable password-based authentication, it can allow for potentially easier brute-force attacks.
 PasswordAuthentication {{ 'yes' if ssh_client_password_login else 'no' }}

+{# OpenBSD does not support GSSAPIAuthentication, so leave this out if on OpenBSD #}
+{% if ansible_facts.os_family != 'OpenBSD' %}
 # Only use GSSAPIAuthentication if implemented on the network.
 GSSAPIAuthentication {{ 'yes' if (ssh_gssapi_support|bool) else 'no' }}
 GSSAPIDelegateCredentials {{ 'yes' if (ssh_gssapi_delegation|bool) else 'no' }}

+{% endif %}
 # Disable tunneling
 Tunnel no

--- a/roles/ssh_hardening/templates/opensshd.conf.j2
+++ b/roles/ssh_hardening/templates/opensshd.conf.j2
@ -143,10 +143,13 @@ KerberosTicketCleanup yes
 #KerberosGetAFSToken no
 {% endif %}

+{# OpenBSD does not support GSSAPIAuthentication, so leave this out if on OpenBSD #}
+{% if ansible_facts.os_family != 'OpenBSD' -%}
 # Only enable GSSAPI authentication if it is configured.
 GSSAPIAuthentication {{ 'yes' if ssh_gssapi_support else 'no' }}
 GSSAPICleanupCredentials yes

+{% endif %}
 {% if ssh_deny_users %}
 # In case you don't use PAM (`UsePAM no`), you can alternatively restrict users and groups here.
 # For key-based authentication this is not necessary, since all keys must be explicitely enabled.