OpenBSD does not support GSSAPI Authentication #598
Conversation
|
Thank you for noticing this. We now have some capabilities to do CI testing with VMs and that way we might be able to include OpenBSD in our CI. I will take a look into this.
We really like this solution, since it also mirrors, what we have done for Debian. (https://github.com/dev-sec/ansible-collection-hardening/blob/master/roles/ssh_hardening/templates/opensshd.conf.j2#L245-L248) Wold you rework your solution to check fr the OS Family instead and keep all the other variables as is? And we also require to have all your commits signed off, can you please modify you existing commits to cover that requirement? |
... and freaks out when it is mentioned in the config files. So let's just remove the GSSAPI-stuff. Signed-off-by: Dennis Eriksen <[email protected]>
|
There :) |
Howdy!
OpenBSD does not support GSSAPI Authentication, and is really not happy when GSSAPI-options are present in its configfiles.
This patch reverts the changes made in ed9447a, which sort of ruined the changes introduced in dev-sec/ansible-ssh-hardening/pull/171. It also introduces a new variable,
ssh_gssapi_authto enable GSSAPI authentication.After creating this patch, I realized that this patch will break GSSAPI authentication for anyone who has enabled this today. Today, setting
ssh_gssapi_supporttotruewill enable GSSAPI authentication. After this patch, the same will merely indicate that your system supports GSSAPI authentication. You'll need to setssh_gssapi_authtotrueto enable GSSAPI authentication.I believe that this is the most "correct" solution. But as mentioned, it will break GSSAPI authentication for anyone who uses it today.
Another solution is to switch the name of the two options
ssh_gssapi_authandssh_gssapi_support, and settingssh_gssapi_authto true by default. Doing this will not break any current installations using GSSAPI authentication. BUT, it will be semantically confusing to usessh_gssapi_authto indicate that the system supports GSSAPI authentication, andssh_gssapi_supportto turn it on or off.A third solution could be to simply introduce the conditional
if ansible_os_family != "OpenBSD"around the GSSAPI-lines in the jinja-templates. This might be the simplest solution.It is also possible to just drop OpenBSD-support (this is the "do nothing"-solution), but I really want to use this on all my systems, and I'd be happy to contribute the code to get this to work :)
Please let me know what you think of this, and I'll ammend my patch accordingly.