Add support for GSSAPIAuthentication

[bbigras]

No description provided.

[artem-sidorenko]

@BrunoQC thanks for raising an issue, can you maybe explain it a bit deeper?

[bbigras]

I use GSSAPIAuthentication for password-less logins from computers on an Active Directory domain using Kerberos tokens.

[artem-sidorenko]

@BrunoQC Hm, I still can not understand what should be done :\

ssh-baseline repo (this repo) contains the tests and test profile for ssh testing. Is some test for GSSAPIAuthentication missing?

[bbigras]

I'm not sure if I'm in the right place.

I used https://galaxy.ansible.com/dev-sec/ssh-hardening/ , it replaces my ssh config and I don't know how to leave GSSAPIAuthentication yes in my config file.

I thought about asking on https://github.com/dev-sec/ansible-ssh-hardening but I was thinking that it may also be useful for chef and puppet.

[chris-rock]

@BrunoQC Thank you for asking. This baseline is providing the recommendation. In this case: no as defined in https://github.com/dev-sec/ssh-baseline/blob/master/controls/sshd_spec.rb#L330-L337. Therefore the implementations in Chef/Ansible/Puppet set the default to no. In your case https://github.com/dev-sec/ansible-ssh-hardening Nevertheless all attributes should be adaptable. This is an issue for the ansible implementation, since the value is fixed in our ansible template. See https://github.com/dev-sec/ansible-ssh-hardening/blob/1f63b3522ac510fc0d2fadca0cc30a76de445ef3/templates/openssh.conf.j2#L122-L123
I recommend to open an issue or add a PR at https://github.com/dev-sec/ansible-ssh-hardening to provide the flexibility you're asking.