Merge pull request #194 from szEvEz/master

set 'GSSAPIAuthentication yes' if variable 'ssh_gssapi_support' is set to 'true'

Author: rndmh3ro

README.md

@@ -32,7 +32,7 @@ Warning: This role disables root-login on the target server! Please make sure yo
 |`ssh_allow_agent_forwarding` | false | false to disable Agent Forwarding. Set to true to allow Agent Forwarding.|
 |`ssh_pam_support` | true | true if SSH has PAM support.|
 |`ssh_use_pam` | false | false to disable pam authentication.|
-|`ssh_gssapi_support` | true | true if SSH has GSSAPI support.|
+|`ssh_gssapi_support` | false | true if SSH has GSSAPI support.|
 |`ssh_kerberos_support` | true | true if SSH has Kerberos support.|
 |`ssh_deny_users` | '' | if specified, login is disallowed for user names that match one of the patterns.|
 |`ssh_allow_users` | '' | if specified, login is allowed only for user names that match one of the patterns.|

defaults/main.yml

@@ -74,7 +74,7 @@ ssh_google_auth: false # sshd
 ssh_pam_device: false # sshd
 
 # true if SSH support GSSAPI
-ssh_gssapi_support: true
+ssh_gssapi_support: false
 
 # true if SSH support Kerberos
 ssh_kerberos_support: true
@@ -220,4 +220,4 @@ ssh_server_revoked_keys: []
 
 # Set to false to turn the role into a no-op. Useful when using
 # the Ansible role dependency mechanism.
-ssh_hardening_enabled: true
+ssh_hardening_enabled: true

templates/opensshd.conf.j2

@@ -119,11 +119,9 @@ KerberosTicketCleanup yes
 #KerberosGetAFSToken no
 {% endif %}
 
-{% if ssh_gssapi_support -%}
 # Only enable GSSAPI authentication if it is configured.
-GSSAPIAuthentication no
+GSSAPIAuthentication {{ 'yes' if ssh_gssapi_support else 'no' }}
 GSSAPICleanupCredentials yes
-{% endif %}
 
 # In case you don't use PAM (`UsePAM no`), you can alternatively restrict users and groups here. For key-based authentication this is not necessary, since all keys must be explicitely enabled.
 {% if ssh_deny_users -%}