add ssh_pubkey_authentication variable

Signed-off-by: debbabi <[email protected]>

Author: debbabi

Diff for: roles/ssh_hardening/README.md

@@ -423,6 +423,11 @@ If idempotency is important, please consider using role [`ssh-hardening-fallback
   - Description: Set to `false` to disable X11 Forwarding. Set to `true` to allow X11 Forwarding.
   - Type: bool
   - Required: no
+- `ssh_pubkey_authentication`
+  - Default: `true`
+  - Description: Set to `false` to disable publickey authentication.
+  - Type: bool
+  - Required: no
 - `sshd_authenticationmethods`
   - Default: `publickey`
   - Description: Specifies the authentication methods that must be successfully completed for a user to be granted access. Make sure to set all required variables for your selected authentication method. Defaults found in `defaults/main.yml`

Diff for: roles/ssh_hardening/defaults/main.yml

@@ -96,6 +96,9 @@ ssh_x11_forwarding: false # sshd
 # false to disable pam authentication.
 ssh_use_pam: true # sshd
 
+# false to disable publickey authentication
+ssh_pubkey_authentication: true
+
 # specify AuthenticationMethods
 sshd_authenticationmethods: publickey
 

Diff for: roles/ssh_hardening/templates/opensshd.conf.j2

@@ -112,7 +112,7 @@ MaxSessions {{ ssh_max_sessions }}
 MaxStartups {{ ssh_max_startups }}
 
 # Enable public key authentication
-PubkeyAuthentication yes
+PubkeyAuthentication {{ 'yes' if (ssh_pubkey_authentication|bool) else 'no' }}
 
 # Never use host-based authentication. It can be exploited.
 IgnoreRhosts yes