Split off ssh_gssapi_delegation into own variable

Signed-off-by: Maxim Burgerhout <[email protected]>

Author: wzzrd

roles/ssh_hardening/README.md

@@ -76,7 +76,10 @@ Warning: This role disables root-login on the target server! Please make sure yo
   - Description: false to disable pam authentication.
 - `ssh_gssapi_support`
   - Default: `false`
-  - Description: true if SSH has GSSAPI support.
+  - Description: Set to true to enable GSSAPI authentication (both client and server).
+- `ssh_gssapi_delegation`
+  - Default: `false`
+  - Description: Set to true to enable GSSAPI credential forwarding.
 - `ssh_kerberos_support`
   - Default: `true`
   - Description: true if SSH has Kerberos support.

roles/ssh_hardening/templates/openssh.conf.j2

@@ -104,8 +104,8 @@ RSAAuthentication yes
 PasswordAuthentication {{ 'yes' if ssh_client_password_login else 'no' }}
 
 # Only use GSSAPIAuthentication if implemented on the network.
-GSSAPIAuthentication {{ 'yes' if ssh_gssapi_support else 'no' }}
-GSSAPIDelegateCredentials {{ 'yes' if ssh_gssapi_support else 'no' }}
+GSSAPIAuthentication {{ 'yes' if (ssh_gssapi_support|bool) else 'no' }}
+GSSAPIDelegateCredentials {{ 'yes' if (ssh_gssapi_delegation|bool) else 'no' }}
 
 # Disable tunneling
 Tunnel no