Add debconf template to disable password auth

The new template is called openssh-server/password-authentication, and
is preseeding-only (at least for now).

Closes: #878945

1 files changed, 6 insertions, 0 deletions

diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst
index 94a47da20..ae273e9c8 100644
--- a/debian/openssh-server.postinst
+++ b/debian/openssh-server.postinst
@@ -88,6 +88,8 @@ create_sshdconfig() {
         # false -> yes.
         db_get openssh-server/permit-root-login
         permit_root_login="$RET"
+        db_get openssh-server/password-authentication
+        password_authentication="$RET"
 
         trap cleanup EXIT
         new_config="$(tempfile)"
@@ -96,6 +98,10 @@ create_sshdconfig() {
                 sed -i 's/^#*PermitRootLogin .*/PermitRootLogin yes/' \
                         "$new_config"
         fi
+        if [ "$password_authentication" != true ]; then
+                sed -i 's/^#PasswordAuthentication .*/PasswordAuthentication no/' \
+                        "$new_config"
+        fi
         mkdir -p /etc/ssh
         ucf --three-way --debconf-ok \
                 --sum-file /usr/share/openssh/sshd_config.md5sum \