From d4a29b7b1b576547d2254a32e0034b966c7462ef Mon Sep 17 00:00:00 2001
From: Lars Beckers <lars.beckers@rwth-aachen.de>
Date: Sun, 7 Oct 2018 18:24:50 +0200
Subject: [PATCH] ssh-server: allow disabling ssh password auth

---
 ssh-server/defaults/main.yml                | 1 +
 ssh-server/templates/sshd_config.j2         | 2 +-
 ssh-server/templates/sshd_config_stretch.j2 | 2 +-
 3 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/ssh-server/defaults/main.yml b/ssh-server/defaults/main.yml
index b3cb5e1..eb600b6 100644
--- a/ssh-server/defaults/main.yml
+++ b/ssh-server/defaults/main.yml
@@ -4,6 +4,7 @@
 ssh_authorized_keys: "{{ inventory_dir }}/files/keys"
 ssh_mkhomedir: yes
 ssh_strong_crypto: yes
+ssh_password_auth: yes
 ssh_gssapi: yes
 ssh_sftp_options: ""
 ssh_allow_groups: []
diff --git a/ssh-server/templates/sshd_config.j2 b/ssh-server/templates/sshd_config.j2
index 0fadada..da2db1f 100644
--- a/ssh-server/templates/sshd_config.j2
+++ b/ssh-server/templates/sshd_config.j2
@@ -52,7 +52,7 @@ PermitEmptyPasswords no
 ChallengeResponseAuthentication no
 
 # Change to no to disable tunnelled clear text passwords
-#PasswordAuthentication yes
+PasswordAuthentication {{ 'yes' if ssh_password_auth else 'no' }}
 
 # Kerberos options
 #KerberosAuthentication no
diff --git a/ssh-server/templates/sshd_config_stretch.j2 b/ssh-server/templates/sshd_config_stretch.j2
index 3494965..67802e9 100644
--- a/ssh-server/templates/sshd_config_stretch.j2
+++ b/ssh-server/templates/sshd_config_stretch.j2
@@ -44,7 +44,7 @@ PermitEmptyPasswords no
 ChallengeResponseAuthentication no
 
 # Change to no to disable tunnelled clear text passwords
-#PasswordAuthentication yes
+PasswordAuthentication {{ 'yes' if ssh_password_auth else 'no' }}
 
 # Kerberos options
 #KerberosAuthentication no
-- 
GitLab