Why SSH Password Login Persisted: The cloud-init Drop-in Configuration Trap
There was a time when I tried to disable SSH password login and use only key authentication to enhance server security. Despite changing the PasswordAuthentication setting to 'no' in the /etc/ssh/sshd_config file and restarting the sshd daemon, I still encountered a situation where password access was possible. I was frustrated that the configuration file I modified wasn't being applied. It made me pause, thinking that some unexpected setting was being enforced. Even though I followed the usual SSH configuration change procedure, I spent some time figuring out why I wasn't getting the desired result. This problem often occurs in cloud environments. I finally found some time on the weekend to organize my findings.
What this post covers
Understanding how OpenSSH configurations are merged from multiple filesIdentifying the mechanism by which cloud-init overwrites SSH settingsHow to check the actual applied SSH configuration using the sshd -T commandFollowing the safe procedure to disable SSH password login*Target Audience:* Developers or system administrators who are confused because their SSH password login disablement settings are not being applied.Difficulty: Intermediate







