Persistent Password SSH on AWS AMIs

February 14, 2017


If you use AWS EC2, you’re definitely familiar with the concept of using a key pair for SSH authentication. Recently, I had a use case that required password SSH login. I set PasswordAuthentication yes in /etc/ssh/sshd_config and created an AMI, but was surprised to discover that PasswordAuthentication no quickly reappeared in my sshd_config when launching an image from the AMI.

I spent some time troubleshooting this (more than I care to admit, to be honest), and eventually found that most AMIs use cloud-init to accomplish their provisioning steps. It turns out that there’s a module in the cloud-init configuration that specifies SSH password authentication. The default behavior of many AMIs is to set this value to “no.”

The default behavior can be easily changed by modifying the cloud-init script at /etc/cloud/cloud.cfg and setting the ssh_pwauth config key to 1 or true. It will probably appear as ssh_pwauth no or ssh_pwauth 0 by default in the cloud.cfg

Once this paramater has been changed in the cloud-init script, you can create an AMI that will have SSH password login enabled upon launch. Of course, this should only be done in niche uses cases. You typically want to be using key-based login whenever possible.

Hopefully this saves someone a few minutes of troubleshooting and needlessly launching new instances!