sshd_config automatically changes rules after reboot

Question

On different machines on AWS/EC2, I keep having sshd rules being changed after rebooting machines

Original rule:

Match Group sftpusers
        ChrootDirectory /data/sftp/%u
        ForceCommand internal-sftp
        PasswordAuthentication yes

Mofified rule after reboot:

Match Group sftpusers
ChrootDirectory /data/sftp/%u
ForceCommand internal-sftp
PasswordAuthentication no

So basically, the users of this group cannot authentificate for sftp connection, which is really annoying.

Note: PasswordAuthentication is set to No by default. I only allow it for this group of user

Ay idea?

score 6 · Accepted Answer · answered Dec 09 '16 at 15:34

6

Check you have /etc/cloud/cloud.cfg or similar file. I am not sure what it is called in CentOS. Look for ssh_pwauth parameter.

If it is set to 0, it means password authentication will be disabled (through sshd_config). Set it to 1 and try.

answered Dec 09 '16 at 15:34

helloV

score 4 · Answer 2 · answered Apr 19 '18 at 06:48

4

If you are using Amazon Linux ECS optimized AMI.

then you need to change in /etc/cloud/cloud.cfg.d/00_defaults.cfg to ssh_pwauth: true

By default ssh_pwauth: false which make PasswordAuthentication no after every reboot.

answered Apr 19 '18 at 06:48

Jogendra Kumar

score 2 · Answer 3 · answered Sep 10 '20 at 02:40

"Do not modify 00_defaults.cfg. It will be overwritten if cloud-init is upgraded." AWS has clear instructions not to modify this file.

Instead, you can add another file in the same directory, name it as myconfigs.cfg. In that file you can add the following line.

ssh_pwauth: true

This is a more permanent solution.

3 Answers3