From 29b2d7b01168849e4be2ca337185674bd1396f77 Mon Sep 17 00:00:00 2001
From: Maxime Boissonneault <maxime.boissonneault@calculquebec.ca>
Date: Wed, 20 Mar 2024 11:39:59 -0400
Subject: [PATCH 1/2] Add authenticationmethods param to local user

---
 data/common.yaml                |  1 +
 site/profile/manifests/users.pp | 10 ++++++++++
 2 files changed, 11 insertions(+)

diff --git a/data/common.yaml b/data/common.yaml
index 030b9dc13..ed93b3f2c 100644
--- a/data/common.yaml
+++ b/data/common.yaml
@@ -267,6 +267,7 @@ profile::users::local::users:
     public_keys: "%{alias('terraform.data.public_keys')}"
     groups: ['adm', 'wheel', 'systemd-journal']
     sudoer: true
+    authenticationmethods: 'publickey'
 
 
 profile::freeipa::base::domain_name: "%{alias('terraform.data.domain_name')}"
diff --git a/site/profile/manifests/users.pp b/site/profile/manifests/users.pp
index 5692af206..03e2fb52e 100644
--- a/site/profile/manifests/users.pp
+++ b/site/profile/manifests/users.pp
@@ -128,6 +128,7 @@
   Boolean $sudoer = false,
   String $selinux_user = 'unconfined_u',
   String $mls_range = 's0-s0:c0.c1023',
+  String $authenticationmethods = '',
 ) {
   # Configure local account and ssh keys
   user { $name:
@@ -171,4 +172,13 @@
     line    => "${name} ALL=(ALL) NOPASSWD:ALL",
     require => File['/etc/sudoers.d/90-puppet-users'],
   }
+
+  if $authenticationmethods != '' {
+    sshd_config { "${name} authenticationmethods":
+      ensure    => present,
+      condition => "User ${name}",
+      key       => 'AuthenticationMethods',
+      value     => $authenticationmethods
+    }
+  }
 }

From b406d31b39f168c77294832193cb8b6351ccdca2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?F=C3=A9lix-Antoine=20Fortin?=
 <felix-antoine.fortin@calculquebec.ca>
Date: Mon, 10 Jun 2024 16:43:57 -0400
Subject: [PATCH 2/2] Update docs

---
 README.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 06914a165..9a2859ba5 100644
--- a/README.md
+++ b/README.md
@@ -1315,7 +1315,7 @@ A `profile::users::local_user` is defined as a dictionary with the following key
 | `sudoer`          | If enable, the user can sudo without password   | Boolean         | Yes        |
 | `selinux_user`    | SELinux context for the user                    | String          | Yes        |
 | `mls_range`       | MLS Range for the user                          | String          | Yes        |
-
+| `authenticationmethods` | Specifies AuthenticationMethods value for this user in sshd_config | String          | Yes        |
 
 <details>
 <summary>default values</summary>
@@ -1326,6 +1326,7 @@ profile::users::local::users:
     public_keys: "%{alias('terraform.data.public_keys')}"
     groups: ['adm', 'wheel', 'systemd-journal']
     sudoer: true
+    authenticationmethods: 'publickey'
 ```
 
 If `profile::users::local::users` is present in more than one YAML file in the hierarchy,
@@ -1346,5 +1347,6 @@ profile::users::local::users:
     # sudoer: false
     # selinux_user: 'unconfined_u'
     # mls_range: ''s0-s0:c0.c1023'
+    # authenticationmethods: 'publickey,password publickey,keyboard-interactive'
 ```
 </details>