from Hacker News

Tell HN: Ubuntu 24.04 force enables password auth, need to disable differently

by samlinnfer on 11/14/24, 4:32 AM with 8 comments

Just installed Ubuntu 24.04 from the server image (https://ubuntu.com/download/server) and was just bitten by this.

Disabling password auth in `/etc/ssh/sshd_config` does nothing.

    # To disable tunneled clear text passwords, change to no here!
    PasswordAuthentication no
    ^ This is a lie, setting it to "no" does nothing

You also need to delete /etc/ssh/sshd_config.d/50-cloud-init.conf which contains a single line:

    PasswordAuthentication yes

Other people complaining about the same thing:

[0] https://www.mikeberggren.com/deb-ssh-auth

[1] https://askubuntu.com/questions/1516262/why-is-50-cloud-init-conf-created

[2] https://askubuntu.com/a/435620

by systmsh on 11/14/24, 3:58 PM
This comes from the `ssh_pwauth` setting in cloud-init. Docs: https://cloudinit.readthedocs.io/en/latest/reference/modules...
The PR https://github.com/canonical/cloud-init/pull/1618 implemented using a "sshd_config.d" file.
by lathiat on 11/15/24, 3:10 AM
You can still configure it to be key only, you just need to put your own override as a file in /etc/ssh/sshd_config.d/ rather than /etc/ssh/sshd_config.
The files are read in order, so your filename needs to sort after the 50-cloud-init.conf file. This would work: echo "PasswordAuthentication no" > /etc/ssh/sshd_config.d/60-password-auth.conf
by necovek on 11/14/24, 5:33 AM
Is there a Launchpad bug against Ubuntu? Cloud-init is probably to blame here.
by jcrben on 11/18/24, 12:01 AM
add `ssh_pwauth: false` if you can edit the cloud-init configuration - that's what I'm doing
by jmakov on 11/14/24, 6:56 PM
Just checked on 24.10, it's set to "no"