Tell HN: Ubuntu 24.04 force enables password auth, need to disable differently
8 months ago
Just installed Ubuntu 24.04 from the server image (https://ubuntu.com/download/server) and was just bitten by this.
Disabling password auth in `/etc/ssh/sshd_config` does nothing.
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
^ This is a lie, setting it to "no" does nothing
You also need to delete /etc/ssh/sshd_config.d/50-cloud-init.conf which contains a single line:
PasswordAuthentication yes
Other people complaining about the same thing:
[0] https://www.mikeberggren.com/deb-ssh-auth
[1] https://askubuntu.com/questions/1516262/why-is-50-cloud-init-conf-created
[2] https://askubuntu.com/a/435620
This comes from the `ssh_pwauth` setting in cloud-init. Docs: https://cloudinit.readthedocs.io/en/latest/reference/modules...
The PR https://github.com/canonical/cloud-init/pull/1618 implemented using a "sshd_config.d" file.
You can still configure it to be key only, you just need to put your own override as a file in /etc/ssh/sshd_config.d/ rather than /etc/ssh/sshd_config.
The files are read in order, so your filename needs to sort after the 50-cloud-init.conf file. This would work: echo "PasswordAuthentication no" > /etc/ssh/sshd_config.d/60-password-auth.conf
It is first configuration that sticks.
That is how include * sshd_config_d overrides all subsequent lines in sshd_config.
So it would need to be 00-password-auth.conf for it to work.
Is there a Launchpad bug against Ubuntu? Cloud-init is probably to blame here.
Bug was filed here: https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/20...
I’ve emailed security and they said they would contact the cloud-init folks.
add `ssh_pwauth: false` if you can edit the cloud-init configuration - that's what I'm doing
Just checked on 24.10, it's set to "no"