From 6969ddf87c5cc910f3afa0f8f574ff62a70ee853 Mon Sep 17 00:00:00 2001
From: debbabi <dbassem@gmail.com>
Date: Mon, 26 Feb 2024 11:32:12 +0100
Subject: [PATCH] add ssh_pubkey_authentication variable

---
 roles/ssh_hardening/README.md                  | 5 +++++
 roles/ssh_hardening/defaults/main.yml          | 3 +++
 roles/ssh_hardening/templates/opensshd.conf.j2 | 2 +-
 3 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/roles/ssh_hardening/README.md b/roles/ssh_hardening/README.md
index 97af57676..fe983dc61 100644
--- a/roles/ssh_hardening/README.md
+++ b/roles/ssh_hardening/README.md
@@ -423,6 +423,11 @@ If idempotency is important, please consider using role [`ssh-hardening-fallback
   - Description: Set to `false` to disable X11 Forwarding. Set to `true` to allow X11 Forwarding.
   - Type: bool
   - Required: no
+- `ssh_pubkey_authentication`
+  - Default: `true`
+  - Description: Set to `false` to disable publickey authentication.
+  - Type: bool
+  - Required: no
 - `sshd_authenticationmethods`
   - Default: `publickey`
   - Description: Specifies the authentication methods that must be successfully completed for a user to be granted access. Make sure to set all required variables for your selected authentication method. Defaults found in `defaults/main.yml`
diff --git a/roles/ssh_hardening/defaults/main.yml b/roles/ssh_hardening/defaults/main.yml
index 4c21c8cd7..bae406aa6 100644
--- a/roles/ssh_hardening/defaults/main.yml
+++ b/roles/ssh_hardening/defaults/main.yml
@@ -96,6 +96,9 @@ ssh_x11_forwarding: false # sshd
 # false to disable pam authentication.
 ssh_use_pam: true # sshd
 
+# false to disable publickey authentication
+ssh_pubkey_authentication: true
+
 # specify AuthenticationMethods
 sshd_authenticationmethods: publickey
 
diff --git a/roles/ssh_hardening/templates/opensshd.conf.j2 b/roles/ssh_hardening/templates/opensshd.conf.j2
index d8a0b8409..4ac0e7135 100644
--- a/roles/ssh_hardening/templates/opensshd.conf.j2
+++ b/roles/ssh_hardening/templates/opensshd.conf.j2
@@ -112,7 +112,7 @@ MaxSessions {{ ssh_max_sessions }}
 MaxStartups {{ ssh_max_startups }}
 
 # Enable public key authentication
-PubkeyAuthentication yes
+PubkeyAuthentication {{ 'yes' if (ssh_pubkey_authentication|bool) else 'no' }}
 
 # Never use host-based authentication. It can be exploited.
 IgnoreRhosts yes