Adds option to set whether password authentication is allowed with sshd.

Colin Nolan · Colin Nolan · commit 83ef8912466f · 2017-04-22T19:55:08.000+01:00
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -17,8 +17,9 @@ ssh_server_weak_hmac: false             # sshd
 ssh_client_weak_kex: false              # ssh
 ssh_server_weak_kex: false              # sshd
 
-# If true, password login is allowed. For sshd, it is always set to no password login.
+# If true, password login is allowed
 ssh_client_password_login: false          # ssh
+ssh_server_password_login: false          # sshd
 
 # ports on which ssh-server should listen
 ssh_server_ports: ['22']      # sshd
diff --git a/templates/opensshd.conf.j2 b/templates/opensshd.conf.j2
@@ -131,7 +131,7 @@ HostbasedAuthentication no
 UsePAM {{ 'yes' if ssh_use_pam else 'no' }}
 
 # Disable password-based authentication, it can allow for potentially easier brute-force attacks.
-PasswordAuthentication no
+PasswordAuthentication {{ 'yes' if ssh_server_password_login else 'no' }}
 PermitEmptyPasswords no
 ChallengeResponseAuthentication {{ 'yes' if ssh_challengeresponseauthentication else 'no' }}
 
