Merge pull request #598 from dennisse/master

schurzi · web-flow · commit d982a89cc1f0 · 2022-11-08T10:26:42.000+01:00
OpenBSD does not support GSSAPI Authentication
diff --git a/roles/ssh_hardening/templates/openssh.conf.j2 b/roles/ssh_hardening/templates/openssh.conf.j2
@@ -106,10 +106,13 @@ RSAAuthentication yes
 # Disable password-based authentication, it can allow for potentially easier brute-force attacks.
 PasswordAuthentication {{ 'yes' if ssh_client_password_login else 'no' }}
 
+{# OpenBSD does not support GSSAPIAuthentication, so leave this out if on OpenBSD #}
+{% if ansible_facts.os_family != 'OpenBSD' %}
 # Only use GSSAPIAuthentication if implemented on the network.
 GSSAPIAuthentication {{ 'yes' if (ssh_gssapi_support|bool) else 'no' }}
 GSSAPIDelegateCredentials {{ 'yes' if (ssh_gssapi_delegation|bool) else 'no' }}
 
+{% endif %}
 # Disable tunneling
 Tunnel no
 
diff --git a/roles/ssh_hardening/templates/opensshd.conf.j2 b/roles/ssh_hardening/templates/opensshd.conf.j2
@@ -143,10 +143,13 @@ KerberosTicketCleanup yes
 #KerberosGetAFSToken no
 {% endif %}
 
+{# OpenBSD does not support GSSAPIAuthentication, so leave this out if on OpenBSD #}
+{% if ansible_facts.os_family != 'OpenBSD' -%}
 # Only enable GSSAPI authentication if it is configured.
 GSSAPIAuthentication {{ 'yes' if ssh_gssapi_support else 'no' }}
 GSSAPICleanupCredentials yes
 
+{% endif %}
 {% if ssh_deny_users %}
 # In case you don't use PAM (`UsePAM no`), you can alternatively restrict users and groups here.
 # For key-based authentication this is not necessary, since all keys must be explicitely enabled.
