[enh] Manage SSH PasswordAuthentication setting

data/hooks/conf_regen/03-ssh

@@ -26,6 +26,7 @@ do_pre_regen() {
     # Support different strategy for security configurations
     export compatibility="$(yunohost settings get 'security.ssh.compatibility')"
     export port="$(yunohost settings get 'security.ssh.port')"
+    export password_authentication="$(yunohost settings get 'security.ssh.password_authentication')"
     export ssh_keys
     export ipv6_enabled
     ynh_render_template "sshd_config" "${pending_dir}/etc/ssh/sshd_config"

data/templates/ssh/sshd_config

@@ -2,6 +2,8 @@
 # by YunoHost
 
 Protocol 2
+# PLEASE: to change ssh port properly in YunoHost, use this command
+# yunohost settings set security.ssh.port -v <port>
 Port {{ port }}
 
 {% if ipv6_enabled == "true" %}ListenAddress ::{% endif %}
@@ -53,9 +55,13 @@ PermitEmptyPasswords no
 ChallengeResponseAuthentication no
 UsePAM yes
 
-# Change to no to disable tunnelled clear text passwords
-# (i.e. everybody will need to authenticate using ssh keys)
+# PLEASE: to force everybody to authenticate using ssh keys, run this command:
+# yunohost settings set security.ssh.password_authentication -v no
+{% if password_authentication == "True" %}
 #PasswordAuthentication yes
+{% else %}
+PasswordAuthentication no
+{% endif %}
 
 # Post-login stuff
 Banner /etc/issue.net

src/yunohost/settings.py

@@ -81,6 +81,10 @@ DEFAULTS = OrderedDict(
             "security.ssh.port",
             {"type": "int", "default": 22},
         ),
+        (
+            "security.ssh.password_authentication",
+            {"type": "bool", "default": True},
+        ),
         (
             "security.nginx.redirect_to_https",
             {
@@ -420,6 +424,7 @@ def reconfigure_nginx_and_yunohost(setting_name, old_value, new_value):
 
 
 @post_change_hook("security.ssh.compatibility")
+@post_change_hook("security.ssh.password_authentication")
 def reconfigure_ssh(setting_name, old_value, new_value):
     if old_value != new_value:
         regen_conf(names=["ssh"])