Puppet Class: cis_security_hardening::rules::sshd_gssapi

Defined in:
manifests/rules/sshd_gssapi.pp

Summary

Ensure SSH does not permit GSSAPI

Overview

The operating system must be configured so that the SSH daemon does not permit Generic Security Service Application Program Interface (GSSAPI) authentication unless needed.

Rationale: GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system’s GSSAPI to remote hosts, increasing the attack surface of the system. GSSAPI authentication must be disabled unless needed.

Examples:

class { 'cis_security_hardening::rules::sshd_gssasi':
  enforce => true,
}

Parameters:

  • enforce (Boolean) (defaults to: false)

    Enforce the rule.



21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
 
# File 'manifests/rules/sshd_gssapi.pp', line 21

class cis_security_hardening::rules::sshd_gssapi (
  Boolean $enforce = false,
) {
  if $enforce {
    $path = ($facts['os']['name'] == 'SLES' and $facts['os']['release']['major'] == '12') ? {
      true    => '/usr/etc/ssh/sshd_config',
      default => '/etc/ssh/sshd_config',
    }
    file_line { 'sshd-gssapi':
      ensure             => present,
      path               => $path,
      line               => 'GSSAPIAuthentication no',
      match              => '^#?GSSAPIAuthentication.*',
      append_on_no_match => true,
      notify             => Exec['reload-sshd'],
    }
  }
}