From 65551fdc5e20949ffb59ead090984617930b9a40 Mon Sep 17 00:00:00 2001
From: Simeon Keske <ca-git@noemis.me>
Date: Fri, 3 Apr 2020 13:03:57 +0200
Subject: [PATCH] ssh: allow to enable password auth

---
 defaults/main.yml  |  1 +
 tasks/packages.yml | 12 ++++++------
 tasks/sshd.yml     | 20 +++++++++++++++++++-
 3 files changed, 26 insertions(+), 7 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index 014624f..27b61ca 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -4,3 +4,4 @@ users:
 - { name: 'nouser', state: 'absent', public_key: '' }
 
 system_locale: en_US.UTF-8
+ssh_allow_password: no
diff --git a/tasks/packages.yml b/tasks/packages.yml
index abe2eb2..d4e8598 100644
--- a/tasks/packages.yml
+++ b/tasks/packages.yml
@@ -1,8 +1,8 @@
 ---
 - name: Update and upgrade apt packages
   apt:
-    upgrade: 'yes'
-    update_cache: 'yes'
+    upgrade: dist
+    update_cache: yes
     cache_valid_time: 86400 # One day
 
 - name: install a default set of packages
@@ -22,13 +22,13 @@
     - zip
     - unzip
     - zsh
-    - python-pip
-    - python3-pip
-    - python-setuptools
-    - python3-setuptools
     - rsync
     - gnupg
     - sudo
     - curl
+    - python-pip
+    - python3-pip
+    - python-setuptools
+    - python3-setuptools
     state: present
   tags: packages
diff --git a/tasks/sshd.yml b/tasks/sshd.yml
index 13bb57a..8dfc445 100644
--- a/tasks/sshd.yml
+++ b/tasks/sshd.yml
@@ -4,6 +4,7 @@
     path: /etc/ssh/sshd_config
     regexp: '^#?AuthenticationMethods '
     line: 'AuthenticationMethods publickey'
+  when: not ssh_allow_password
   notify: reload sshd service
 
 - name: Disable SSH password authentication
@@ -11,4 +12,21 @@
     path: /etc/ssh/sshd_config
     regexp: '^#?PasswordAuthentication '
     line: 'PasswordAuthentication no'
-  notify: reload sshd service
\ No newline at end of file
+  when: not ssh_allow_password
+  notify: reload sshd service
+
+- name: Restrict SSH to public key and password authentication
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: '^#?AuthenticationMethods '
+    line: 'AuthenticationMethods publickey password'
+  when: ssh_allow_password
+  notify: reload sshd service
+
+- name: Enable SSH password authentication
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: '^#?PasswordAuthentication '
+    line: 'PasswordAuthentication yes'
+  when: ssh_allow_password
+  notify: reload sshd service