Adds option to enable password based authentication on the server

README.md

@@ -46,6 +46,8 @@ Warning: This role disables root-login on the target server! Please make sure yo
 |`ssh_client_roaming` | false | enable experimental client roaming|
 |`sshd_moduli_minimum` | 2048 | remove Diffie-Hellman parameters smaller than the defined size to mitigate logjam|
 |`ssh_challengeresponseauthentication` | false | Specifies whether challenge-response authentication is allowed (e.g. via PAM) |
+|`ssh_client_password_login` | false | `true` to allow password-based authentication with the ssh client |
+|`ssh_server_password_login` | false | `true` to allow password-based authentication with the ssh server |
 
 ## Example Playbook
 

defaults/main.yml

@@ -17,8 +17,9 @@ ssh_server_weak_hmac: false             # sshd
 ssh_client_weak_kex: false              # ssh
 ssh_server_weak_kex: false              # sshd
 
-# If true, password login is allowed. For sshd, it is always set to no password login.
+# If true, password login is allowed
 ssh_client_password_login: false          # ssh
+ssh_server_password_login: false          # sshd
 
 # ports on which ssh-server should listen
 ssh_server_ports: ['22']      # sshd

templates/opensshd.conf.j2

@@ -131,7 +131,7 @@ HostbasedAuthentication no
 UsePAM {{ 'yes' if ssh_use_pam else 'no' }}
 
 # Disable password-based authentication, it can allow for potentially easier brute-force attacks.
-PasswordAuthentication no
+PasswordAuthentication {{ 'yes' if ssh_server_password_login else 'no' }}
 PermitEmptyPasswords no
 ChallengeResponseAuthentication {{ 'yes' if ssh_challengeresponseauthentication else 'no' }}