Currently Go's SSH package doesn't permit a server to conditionally permit auth type "none" at runtime. There's a NoClientAuth bool flag to globally enable it, but you can't decide as a function of the ConnMetaData (username, IPs, etc) whether to permit it.

I propose adding a ServerConfig.NoClientAuthCallback auth hook, with a signature like the existing auth hooks:

        // NoClientAuthCallback, if non-nil, is called when a user
	// attempts to authenticate with auth method "none".
	// NoClientAuth must also be set to true for this be used, or
	// this func is unused.
	NoClientAuthCallback func(ConnMetadata) (*Permissions, error)

I sent https://go-review.googlesource.com/c/crypto/+/395314 which @rolandshoemaker approved, but this is the proposal for the API change.

/cc @maisem