diff --git a/data/hooks/conf_regen/03-ssh b/data/hooks/conf_regen/03-ssh
index f10dbb653..3f04acd0c 100755
--- a/data/hooks/conf_regen/03-ssh
+++ b/data/hooks/conf_regen/03-ssh
@@ -26,6 +26,7 @@ do_pre_regen() {
     # Support different strategy for security configurations
     export compatibility="$(yunohost settings get 'security.ssh.compatibility')"
     export port="$(yunohost settings get 'security.ssh.port')"
+    export password_authentication="$(yunohost settings get 'security.ssh.password_authentication')"
     export ssh_keys
     export ipv6_enabled
     ynh_render_template "sshd_config" "${pending_dir}/etc/ssh/sshd_config"
diff --git a/data/templates/ssh/sshd_config b/data/templates/ssh/sshd_config
index 1c2854f73..b6d4111ee 100644
--- a/data/templates/ssh/sshd_config
+++ b/data/templates/ssh/sshd_config
@@ -2,6 +2,8 @@
 # by YunoHost
 
 Protocol 2
+# PLEASE: if you wish to change the ssh port properly in YunoHost, use this command:
+# yunohost settings set security.ssh.port -v <port>
 Port {{ port }}
 
 {% if ipv6_enabled == "true" %}ListenAddress ::{% endif %}
@@ -53,9 +55,13 @@ PermitEmptyPasswords no
 ChallengeResponseAuthentication no
 UsePAM yes
 
-# Change to no to disable tunnelled clear text passwords
-# (i.e. everybody will need to authenticate using ssh keys)
+# PLEASE: if you wish to force everybody to authenticate using ssh keys, run this command:
+# yunohost settings set security.ssh.password_authentication -v no
+{% if password_authentication == "False" %}
+PasswordAuthentication no
+{% else %}
 #PasswordAuthentication yes
+{% endif %}
 
 # Post-login stuff
 Banner /etc/issue.net
diff --git a/locales/en.json b/locales/en.json
index 7bd4fc609..ce36edaa4 100644
--- a/locales/en.json
+++ b/locales/en.json
@@ -382,6 +382,7 @@
     "global_settings_setting_security_password_user_strength": "User password strength",
     "global_settings_setting_security_postfix_compatibility": "Compatibility vs. security tradeoff for the Postfix server. Affects the ciphers (and other security-related aspects)",
     "global_settings_setting_security_ssh_compatibility": "Compatibility vs. security tradeoff for the SSH server. Affects the ciphers (and other security-related aspects)",
+    "global_settings_setting_security_ssh_password_authentication": "Allow password authentication for SSH",
     "global_settings_setting_security_ssh_port": "SSH port",
     "global_settings_setting_security_webadmin_allowlist": "IP adresses allowed to access the webadmin. Comma-separated.",
     "global_settings_setting_security_webadmin_allowlist_enabled": "Allow only some IPs to access the webadmin.",
diff --git a/src/yunohost/settings.py b/src/yunohost/settings.py
index eddb30764..0e08a2640 100644
--- a/src/yunohost/settings.py
+++ b/src/yunohost/settings.py
@@ -81,6 +81,10 @@ DEFAULTS = OrderedDict(
             "security.ssh.port",
             {"type": "int", "default": 22},
         ),
+        (
+            "security.ssh.password_authentication",
+            {"type": "bool", "default": True},
+        ),
         (
             "security.nginx.redirect_to_https",
             {
@@ -420,6 +424,7 @@ def reconfigure_nginx_and_yunohost(setting_name, old_value, new_value):
 
 
 @post_change_hook("security.ssh.compatibility")
+@post_change_hook("security.ssh.password_authentication")
 def reconfigure_ssh(setting_name, old_value, new_value):
     if old_value != new_value:
         regen_conf(names=["ssh"])