Merge pull request #102 from linaksa/master

Configurable PasswordAuthentication

Author: chris-rock

attributes/default.rb

@@ -66,6 +66,7 @@
 default['ssh']['allow_groups']            = []      # sshd
 default['ssh']['print_motd']              = false   # sshd
 default['ssh']['print_last_log']          = false   # sshd
+default['ssh']['password_authentication'] = false    # sshd
 # set this to nil to let us use the default OpenSSH in case it's not set by the user
 default['ssh']['use_dns']                 = nil     # sshd
 # set this to nil to let us detect the attribute based on the node platform

templates/default/opensshd.conf.erb

@@ -104,7 +104,7 @@ HostbasedAuthentication no
 # Enable PAM to enforce system wide rules
 UsePAM <%= ((@node['ssh']['use_pam']) ? "yes" : "no" ) %>
 # Disable password-based authentication, it can allow for potentially easier brute-force attacks.
-PasswordAuthentication no
+PasswordAuthentication <%= ((@node['ssh']['password_authentication']) ? "yes" : "no" ) %>
 PermitEmptyPasswords no
 ChallengeResponseAuthentication no