From 4106ed669e5a53652b46d9e7804dbdfa14d699fc Mon Sep 17 00:00:00 2001
From: ljf <ljf+git@grimaud.me>
Date: Mon, 6 Dec 2021 23:01:06 +0100
Subject: [PATCH] [enh] Manage SSH PasswordAuthentication setting

---
 data/hooks/conf_regen/03-ssh   |  1 +
 data/templates/ssh/sshd_config | 10 ++++++++--
 src/yunohost/settings.py       |  5 +++++
 3 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/data/hooks/conf_regen/03-ssh b/data/hooks/conf_regen/03-ssh
index f10dbb653..3f04acd0c 100755
--- a/data/hooks/conf_regen/03-ssh
+++ b/data/hooks/conf_regen/03-ssh
@@ -26,6 +26,7 @@ do_pre_regen() {
     # Support different strategy for security configurations
     export compatibility="$(yunohost settings get 'security.ssh.compatibility')"
     export port="$(yunohost settings get 'security.ssh.port')"
+    export password_authentication="$(yunohost settings get 'security.ssh.password_authentication')"
     export ssh_keys
     export ipv6_enabled
     ynh_render_template "sshd_config" "${pending_dir}/etc/ssh/sshd_config"
diff --git a/data/templates/ssh/sshd_config b/data/templates/ssh/sshd_config
index 1c2854f73..22f0697d9 100644
--- a/data/templates/ssh/sshd_config
+++ b/data/templates/ssh/sshd_config
@@ -2,6 +2,8 @@
 # by YunoHost
 
 Protocol 2
+# PLEASE: to change ssh port properly in YunoHost, use this command
+# yunohost settings set security.ssh.port -v <port>
 Port {{ port }}
 
 {% if ipv6_enabled == "true" %}ListenAddress ::{% endif %}
@@ -53,9 +55,13 @@ PermitEmptyPasswords no
 ChallengeResponseAuthentication no
 UsePAM yes
 
-# Change to no to disable tunnelled clear text passwords
-# (i.e. everybody will need to authenticate using ssh keys)
+# PLEASE: to force everybody to authenticate using ssh keys, run this command:
+# yunohost settings set security.ssh.password_authentication -v no
+{% if password_authentication == "True" %}
 #PasswordAuthentication yes
+{% else %}
+PasswordAuthentication no
+{% endif %}
 
 # Post-login stuff
 Banner /etc/issue.net
diff --git a/src/yunohost/settings.py b/src/yunohost/settings.py
index d59b41a58..26b8c48b2 100644
--- a/src/yunohost/settings.py
+++ b/src/yunohost/settings.py
@@ -81,6 +81,10 @@ DEFAULTS = OrderedDict(
             "security.ssh.port",
             {"type": "int", "default": 22},
         ),
+        (
+            "security.ssh.password_authentication",
+            {"type": "bool", "default": True},
+        ),
         (
             "security.nginx.redirect_to_https",
             {
@@ -420,6 +424,7 @@ def reconfigure_nginx_and_yunohost(setting_name, old_value, new_value):
 
 
 @post_change_hook("security.ssh.compatibility")
+@post_change_hook("security.ssh.password_authentication")
 def reconfigure_ssh(setting_name, old_value, new_value):
     if old_value != new_value:
         regen_conf(names=["ssh"])