From 83ef8912466fdbc8585a88acedbe2c333ed9f923 Mon Sep 17 00:00:00 2001
From: Colin Nolan <colin.nolan@sanger.ac.uk>
Date: Sat, 22 Apr 2017 19:55:08 +0100
Subject: [PATCH 1/2] Adds option to set whether password authentication is
 allowed with sshd.

---
 defaults/main.yml          | 3 ++-
 templates/opensshd.conf.j2 | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index f36045a..fd7b8cd 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -17,8 +17,9 @@ ssh_server_weak_hmac: false             # sshd
 ssh_client_weak_kex: false              # ssh
 ssh_server_weak_kex: false              # sshd
 
-# If true, password login is allowed. For sshd, it is always set to no password login.
+# If true, password login is allowed
 ssh_client_password_login: false          # ssh
+ssh_server_password_login: false          # sshd
 
 # ports on which ssh-server should listen
 ssh_server_ports: ['22']      # sshd
diff --git a/templates/opensshd.conf.j2 b/templates/opensshd.conf.j2
index 11087cc..28dab4e 100644
--- a/templates/opensshd.conf.j2
+++ b/templates/opensshd.conf.j2
@@ -131,7 +131,7 @@ HostbasedAuthentication no
 UsePAM {{ 'yes' if ssh_use_pam else 'no' }}
 
 # Disable password-based authentication, it can allow for potentially easier brute-force attacks.
-PasswordAuthentication no
+PasswordAuthentication {{ 'yes' if ssh_server_password_login else 'no' }}
 PermitEmptyPasswords no
 ChallengeResponseAuthentication {{ 'yes' if ssh_challengeresponseauthentication else 'no' }}
 

From a3d3de70ceb485eb2032e16947e41f3d9afcb690 Mon Sep 17 00:00:00 2001
From: Colin Nolan <colin.nolan@sanger.ac.uk>
Date: Sat, 22 Apr 2017 19:58:47 +0100
Subject: [PATCH 2/2] Updates documentation.

---
 README.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/README.md b/README.md
index 18f305b..c8faee0 100644
--- a/README.md
+++ b/README.md
@@ -46,6 +46,8 @@ Warning: This role disables root-login on the target server! Please make sure yo
 |`ssh_client_roaming` | false | enable experimental client roaming|
 |`sshd_moduli_minimum` | 2048 | remove Diffie-Hellman parameters smaller than the defined size to mitigate logjam|
 |`ssh_challengeresponseauthentication` | false | Specifies whether challenge-response authentication is allowed (e.g. via PAM) |
+|`ssh_client_password_login` | false | `true` to allow password-based authentication with the ssh client |
+|`ssh_server_password_login` | false | `true` to allow password-based authentication with the ssh server |
 
 ## Example Playbook