Persistent Password SSH on AWS AMIs
February 14, 2017
If you use AWS EC2, you’re definitely familiar with the concept of using a key pair for SSH authentication. Recently, I had a use case that required password SSH login. I set
PasswordAuthentication yes in
/etc/ssh/sshd_config and created an AMI, but was surprised to discover that
PasswordAuthentication no quickly reappeared in my
sshd_config when launching an image from the AMI.
I spent some time troubleshooting this (more than I care to admit, to be honest), and eventually found that most AMIs use cloud-init to accomplish their provisioning steps. It turns out that there’s a module in the cloud-init configuration that specifies SSH password authentication. The default behavior of many AMIs is to set this value to “no.”
The default behavior can be easily changed by modifying the cloud-init script at
/etc/cloud/cloud.cfg and setting the
ssh_pwauth config key to
true. It will probably appear as
ssh_pwauth no or
ssh_pwauth 0 by default in the cloud.cfg
Once this paramater has been changed in the cloud-init script, you can create an AMI that will have SSH password login enabled upon launch. Of course, this should only be done in niche uses cases. You typically want to be using key-based login whenever possible.
Hopefully this saves someone a few minutes of troubleshooting and needlessly launching new instances!
Previous article: Deploying certificate-based SSH with Ansible
Next article: Connecting to systemd-nspawn SSH containers in Ansible