roles/common: default to disabling SSH passwords

roles/common/templates/sshd_config_Debian-11.j2

@@ -56,7 +56,11 @@ AuthorizedKeysFile	.ssh/authorized_keys
 #IgnoreRhosts yes
 
 # To disable tunneled clear text passwords, change to no here!
-#PasswordAuthentication yes
+{% if ssh_password_authentication == 'disabled' %}
+PasswordAuthentication no
+{% else %}
+PasswordAuthentication yes
+{% endif %}
 #PermitEmptyPasswords no
 
 # Change to yes to enable challenge-response passwords (beware issues with

roles/common/templates/sshd_config_Debian-12.j2

@@ -56,8 +56,12 @@ AuthorizedKeysFile	.ssh/authorized_keys
 #IgnoreRhosts yes
 
 # To disable tunneled clear text passwords, change to no here!
+{% if ssh_password_authentication == 'disabled' %}
+PasswordAuthentication no
+{% else %}
 PasswordAuthentication yes
-PermitEmptyPasswords no
+{% endif %}
+#PermitEmptyPasswords no
 
 # Change to yes to enable challenge-response passwords (beware issues with
 # some PAM modules and threads)

roles/common/templates/sshd_config_Ubuntu-20.04.j2

@@ -56,7 +56,11 @@ AuthorizedKeysFile	.ssh/authorized_keys
 #IgnoreRhosts yes
 
 # To disable tunneled clear text passwords, change to no here!
-#PasswordAuthentication yes
+{% if ssh_password_authentication == 'disabled' %}
+PasswordAuthentication no
+{% else %}
+PasswordAuthentication yes
+{% endif %}
 #PermitEmptyPasswords no
 
 # Change to yes to enable challenge-response passwords (beware issues with
@@ -122,7 +126,6 @@ Subsystem sftp	/usr/lib/openssh/sftp-server
 #	AllowTcpForwarding no
 #	PermitTTY no
 #	ForceCommand cvs server
-PasswordAuthentication yes
 
 # Originally from: https://stribika.github.io/2015/01/04/secure-secure-shell.html
 # ... but with ciphers and MACs with < 256 bits removed, as NSA's Suite B now