ssh-baseline icon indicating copy to clipboard operation
ssh-baseline copied to clipboard

Published 20 hours ago verified publisher icon dev-sec

Add support for GSSAPIAuthentication

Open bbigras opened this issue 8 years ago • 5 comments

bbigras avatar Jan 31 '17 21:01 bbigras

@brunoqc thanks for raising an issue, can you maybe explain it a bit deeper?

artem-sidorenko avatar Feb 02 '17 10:02 artem-sidorenko

I use GSSAPIAuthentication for password-less logins from computers on an Active Directory domain using Kerberos tokens.

bbigras avatar Feb 02 '17 15:02 bbigras

@brunoqc Hm, I still can not understand what should be done :\

ssh-baseline repo (this repo) contains the tests and test profile for ssh testing. Is some test for GSSAPIAuthentication missing?

artem-sidorenko avatar Feb 02 '17 20:02 artem-sidorenko

I'm not sure if I'm in the right place.

I used https://galaxy.ansible.com/dev-sec/ssh-hardening/ , it replaces my ssh config and I don't know how to leave GSSAPIAuthentication yes in my config file.

I thought about asking on https://github.com/dev-sec/ansible-ssh-hardening but I was thinking that it may also be useful for chef and puppet.

bbigras avatar Feb 02 '17 20:02 bbigras

@brunoqc Thank you for asking. This baseline is providing the recommendation. In this case: no as defined in https://github.com/dev-sec/ssh-baseline/blob/master/controls/sshd_spec.rb#L330-L337. Therefore the implementations in Chef/Ansible/Puppet set the default to no. In your case https://github.com/dev-sec/ansible-ssh-hardening Nevertheless all attributes should be adaptable. This is an issue for the ansible implementation, since the value is fixed in our ansible template. See https://github.com/dev-sec/ansible-ssh-hardening/blob/1f63b3522ac510fc0d2fadca0cc30a76de445ef3/templates/openssh.conf.j2#L122-L123 I recommend to open an issue or add a PR at https://github.com/dev-sec/ansible-ssh-hardening to provide the flexibility you're asking.

chris-rock avatar Feb 02 '17 20:02 chris-rock