The Problem ( Summary)
Disabling ssh password authentication in sshd_config, no longer works. After disabling it you can still log into an Ubuntu server (22.04.3 in my case) using a password.
There is a description of my process and a fix below.
My Experience
I’ve just installed Ubuntu 22.04.3 LTS. Set up SSH as I have done for years.
In /etc/ssh/ssh_config I changed:
PasswordAuthentication no
PubkeyAuthentication yes
ChallengeResponseAuthentication no
Then restarted the service
systemctl restart sshd
I could still log in by Password.
It seems /etc/ssh/sshd_config.d/50-cloud-init.conf now contains a line PasswordAuthentication yes which overrides ssh_config
To my way of thinking this is a security flaw introduced by Ubuntu in this release as it breaks years of tradition and standard practice where disabling password authentication in sshd_config has worked.
I can imagine a release update potentially changing a setting or a standard config being thrown in place by scripts and getting subverted by this change.
The Fix
To resolve this issue:
Edit /etc/ssh/sshd_config.d/50-cloud-init.conf
sudo vi /etc/ssh/sshd_config.d/50-cloud-init.conf
Delete or Add a # in front of the line that allows password authentication
#PasswordAuthentication yes
Save the file.
Restart ssh
sudo systemctl restart sshd
Retest and it should be fixed for you.
