From 4106ed669e5a53652b46d9e7804dbdfa14d699fc Mon Sep 17 00:00:00 2001
From: ljf <ljf+git@grimaud.me>
Date: Mon, 6 Dec 2021 23:01:06 +0100
Subject: [PATCH 1/4] [enh] Manage SSH PasswordAuthentication setting

---
 data/hooks/conf_regen/03-ssh   |  1 +
 data/templates/ssh/sshd_config | 10 ++++++++--
 src/yunohost/settings.py       |  5 +++++
 3 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/data/hooks/conf_regen/03-ssh b/data/hooks/conf_regen/03-ssh
index f10dbb653..3f04acd0c 100755
--- a/data/hooks/conf_regen/03-ssh
+++ b/data/hooks/conf_regen/03-ssh
@@ -26,6 +26,7 @@ do_pre_regen() {
     # Support different strategy for security configurations
     export compatibility="$(yunohost settings get 'security.ssh.compatibility')"
     export port="$(yunohost settings get 'security.ssh.port')"
+    export password_authentication="$(yunohost settings get 'security.ssh.password_authentication')"
     export ssh_keys
     export ipv6_enabled
     ynh_render_template "sshd_config" "${pending_dir}/etc/ssh/sshd_config"
diff --git a/data/templates/ssh/sshd_config b/data/templates/ssh/sshd_config
index 1c2854f73..22f0697d9 100644
--- a/data/templates/ssh/sshd_config
+++ b/data/templates/ssh/sshd_config
@@ -2,6 +2,8 @@
 # by YunoHost
 
 Protocol 2
+# PLEASE: to change ssh port properly in YunoHost, use this command
+# yunohost settings set security.ssh.port -v <port>
 Port {{ port }}
 
 {% if ipv6_enabled == "true" %}ListenAddress ::{% endif %}
@@ -53,9 +55,13 @@ PermitEmptyPasswords no
 ChallengeResponseAuthentication no
 UsePAM yes
 
-# Change to no to disable tunnelled clear text passwords
-# (i.e. everybody will need to authenticate using ssh keys)
+# PLEASE: to force everybody to authenticate using ssh keys, run this command:
+# yunohost settings set security.ssh.password_authentication -v no
+{% if password_authentication == "True" %}
 #PasswordAuthentication yes
+{% else %}
+PasswordAuthentication no
+{% endif %}
 
 # Post-login stuff
 Banner /etc/issue.net
diff --git a/src/yunohost/settings.py b/src/yunohost/settings.py
index d59b41a58..26b8c48b2 100644
--- a/src/yunohost/settings.py
+++ b/src/yunohost/settings.py
@@ -81,6 +81,10 @@ DEFAULTS = OrderedDict(
             "security.ssh.port",
             {"type": "int", "default": 22},
         ),
+        (
+            "security.ssh.password_authentication",
+            {"type": "bool", "default": True},
+        ),
         (
             "security.nginx.redirect_to_https",
             {
@@ -420,6 +424,7 @@ def reconfigure_nginx_and_yunohost(setting_name, old_value, new_value):
 
 
 @post_change_hook("security.ssh.compatibility")
+@post_change_hook("security.ssh.password_authentication")
 def reconfigure_ssh(setting_name, old_value, new_value):
     if old_value != new_value:
         regen_conf(names=["ssh"])

From 1b198e12f69badf99791cd88a037d96dca9ff039 Mon Sep 17 00:00:00 2001
From: ljf <ljf+git@grimaud.me>
Date: Tue, 7 Dec 2021 00:14:15 +0100
Subject: [PATCH 2/4] [fix] Missing locale key

---
 locales/en.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/locales/en.json b/locales/en.json
index 81e75eb32..66f42df58 100644
--- a/locales/en.json
+++ b/locales/en.json
@@ -382,6 +382,7 @@
     "global_settings_setting_security_password_user_strength": "User password strength",
     "global_settings_setting_security_postfix_compatibility": "Compatibility vs. security tradeoff for the Postfix server. Affects the ciphers (and other security-related aspects)",
     "global_settings_setting_security_ssh_compatibility": "Compatibility vs. security tradeoff for the SSH server. Affects the ciphers (and other security-related aspects)",
+    "global_settings_setting_security_ssh_password_authentication": "Password authentication allowed",
     "global_settings_setting_security_ssh_port": "SSH port",
     "global_settings_setting_security_webadmin_allowlist": "IP adresses allowed to access the webadmin. Comma-separated.",
     "global_settings_setting_security_webadmin_allowlist_enabled": "Allow only some IPs to access the webadmin.",

From a063b63d1c86a1f30dac670cea17f2f24e9c944e Mon Sep 17 00:00:00 2001
From: Alexandre Aubin <alex.aubin@mailoo.org>
Date: Mon, 27 Dec 2021 15:35:02 +0100
Subject: [PATCH 3/4] ssh config : Invert the password_authentication value
 check to be more resilient in case something goes wrong while fetching /
 parsing the value

---
 data/templates/ssh/sshd_config | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/data/templates/ssh/sshd_config b/data/templates/ssh/sshd_config
index 22f0697d9..b6d4111ee 100644
--- a/data/templates/ssh/sshd_config
+++ b/data/templates/ssh/sshd_config
@@ -2,7 +2,7 @@
 # by YunoHost
 
 Protocol 2
-# PLEASE: to change ssh port properly in YunoHost, use this command
+# PLEASE: if you wish to change the ssh port properly in YunoHost, use this command:
 # yunohost settings set security.ssh.port -v <port>
 Port {{ port }}
 
@@ -55,12 +55,12 @@ PermitEmptyPasswords no
 ChallengeResponseAuthentication no
 UsePAM yes
 
-# PLEASE: to force everybody to authenticate using ssh keys, run this command:
+# PLEASE: if you wish to force everybody to authenticate using ssh keys, run this command:
 # yunohost settings set security.ssh.password_authentication -v no
-{% if password_authentication == "True" %}
-#PasswordAuthentication yes
-{% else %}
+{% if password_authentication == "False" %}
 PasswordAuthentication no
+{% else %}
+#PasswordAuthentication yes
 {% endif %}
 
 # Post-login stuff

From dce411e0e62193094f6613dfdca081a7ca46a04c Mon Sep 17 00:00:00 2001
From: Alexandre Aubin <alex.aubin@mailoo.org>
Date: Mon, 27 Dec 2021 15:36:38 +0100
Subject: [PATCH 4/4] Improve setting description

---
 locales/en.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/locales/en.json b/locales/en.json
index 66f42df58..bfd410740 100644
--- a/locales/en.json
+++ b/locales/en.json
@@ -382,7 +382,7 @@
     "global_settings_setting_security_password_user_strength": "User password strength",
     "global_settings_setting_security_postfix_compatibility": "Compatibility vs. security tradeoff for the Postfix server. Affects the ciphers (and other security-related aspects)",
     "global_settings_setting_security_ssh_compatibility": "Compatibility vs. security tradeoff for the SSH server. Affects the ciphers (and other security-related aspects)",
-    "global_settings_setting_security_ssh_password_authentication": "Password authentication allowed",
+    "global_settings_setting_security_ssh_password_authentication": "Allow password authentication for SSH",
     "global_settings_setting_security_ssh_port": "SSH port",
     "global_settings_setting_security_webadmin_allowlist": "IP adresses allowed to access the webadmin. Comma-separated.",
     "global_settings_setting_security_webadmin_allowlist_enabled": "Allow only some IPs to access the webadmin.",