From 288b010fe58431cb6935d9b97a174bc20a928d27 Mon Sep 17 00:00:00 2001
From: Mikaela Suomalainen <mikaela+git@mikaela.info>
Date: Tue, 2 Feb 2021 14:12:43 +0200
Subject: [PATCH] sshd: move mikaela-prohibit-password.conf to broken/

Apparently OpenSSH only allows PasswordAuthentication yes within a Match
block.
---
 etc/ssh/sshd_config.d/anoncvs.conf                         | 5 ++++-
 .../sshd_config.d/broken/mikaela-prohibit-password.conf    | 7 +++++++
 etc/ssh/sshd_config.d/mikaela-prohibit-password.conf       | 5 -----
 etc/ssh/sshd_config.d/user-permit-password.conf            | 6 +++++-
 4 files changed, 16 insertions(+), 7 deletions(-)
 create mode 100644 etc/ssh/sshd_config.d/broken/mikaela-prohibit-password.conf
 delete mode 100644 etc/ssh/sshd_config.d/mikaela-prohibit-password.conf

diff --git a/etc/ssh/sshd_config.d/anoncvs.conf b/etc/ssh/sshd_config.d/anoncvs.conf
index 96450f5d..c676d5e7 100644
--- a/etc/ssh/sshd_config.d/anoncvs.conf
+++ b/etc/ssh/sshd_config.d/anoncvs.conf
@@ -1,5 +1,8 @@
 # Version Control System accounts musn't have X11Forwarding, TCP Forwarding
-# or TTY. The anoncvs is usually a comment in stock sshd_config
+# or TTY. The anoncvs is usually a comment in stock sshd_config.
+# The password blocking may only work in reverse so this file is partially
+# useless. https://serverfault.com/a/461865 & OpenSSH_8.4p1
+
 Match User anoncvs,git,gitea
 	PasswordAuthentication no
 	AuthenticationMethods publickey
diff --git a/etc/ssh/sshd_config.d/broken/mikaela-prohibit-password.conf b/etc/ssh/sshd_config.d/broken/mikaela-prohibit-password.conf
new file mode 100644
index 00000000..59a7dc40
--- /dev/null
+++ b/etc/ssh/sshd_config.d/broken/mikaela-prohibit-password.conf
@@ -0,0 +1,7 @@
+# User Mikaela hates passwords and will only use keys. This may only work
+# in reverse so this file is useless. https://serverfault.com/a/461865
+# & OpenSSH_8.4p1
+Match User mikaela
+    PasswordAuthentication no
+    AuthenticationMethods publickey
+Match All
diff --git a/etc/ssh/sshd_config.d/mikaela-prohibit-password.conf b/etc/ssh/sshd_config.d/mikaela-prohibit-password.conf
deleted file mode 100644
index 4a2971de..00000000
--- a/etc/ssh/sshd_config.d/mikaela-prohibit-password.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# User Mikaela hates passwords and will only use keys.
-Match User mikaela
-    PasswordAuthentication no
-    AuthenticationMethods publickey
-Match All
diff --git a/etc/ssh/sshd_config.d/user-permit-password.conf b/etc/ssh/sshd_config.d/user-permit-password.conf
index 1b244470..1945abb2 100644
--- a/etc/ssh/sshd_config.d/user-permit-password.conf
+++ b/etc/ssh/sshd_config.d/user-permit-password.conf
@@ -1,5 +1,9 @@
 # This is the opposite of mikaela-prohibit-password.conf and shouldn't be
-# used, that is why it's in comments
+# used, that is why it's in comments.
+
+# As of OpenSSH_8.4p1 this may be the only way this works, with globally
+# blocking passwords, but accepting only specific users to use passwords.
+# https://serverfault.com/a/461865 OpenSSH_8.4p1
 
 #Match User someone
 #    PasswordAuthentication yes