[SOLVED] SSH with password in Vm created from Cloud-init

[muzammal]

I created an Ubuntu 24 CloudInit template and deployed multiple VMs from it. Everything is working fine, except for one issue: SSH with password authentication.


I tried editing the sshd_config file to allow password-based login by making the following changes:

• Set PasswordAuthentication yes

Despite these changes, I’m still unable to SSH into the VM using a password. The only way I can access the VM is by adding my SSH keys to the CloudInit section of the VM and regenerating the image.


Does anyone know why the password login is still not working even after modifying the sshd_config?

 

[bl1mp]

Hi muzammal,

did you restart the sshd.service to reread the config (or restart the VM afterwards) ?

BR, Lucas

 

[muzammal]

Hello, thanks for replying.
1. There was no sshd.service.
2. There is only an ssh service. After changing the file, I restarted both the ssh service and the VM.
3. I also tried setting the user password again, but it still doesn't work.

I'm using Cloudinit with Ubuntu 24, if that helps.

 

[bbgeek17]

Hi @muzammal , welcome to the forum.

Keeping in mind that your question is not PVE specific, are you using PVE built-in CI config? Custom config?
Are you changing the file manually after logging in with a key?
Are you able to login with password from the console? (qm terminal [vmid] )

In Ubuntu the SSH server service is called "ssh.service".
After you think you have applied the setting (manually?) and restarted the service, have you checked the running configuration of SSHD?

sshd -T|egrep -i pass
permitrootlogin without-password
kerberosorlocalpasswd yes
passwordauthentication no
permitemptypasswords no

I tried editing the sshd_config file to allow password-based login by making the following changes:

• Set PasswordAuthentication yes

You need to provide an exact line you changed. If you entered the line as shown above, that is an invalid syntax.

Also, keep in mind that Cloud Images may have primary configuration file:/etc/ssh/sshd_config
And secondary configuration file, that overwrites the primary: /etc/ssh/sshd_config.d/60-cloudimg-settings.conf

For example, in our image there is only one line that is custom:

cat /etc/ssh/sshd_config.d/60-cloudimg-settings.conf
PasswordAuthentication no

the drop-in files in /etc/ssh/sshd_config.d/ are applied in lexical (numeric/alphabetical) order after the main /etc/ssh/sshd_config. So you may want to add 99- file to overwrite the cloudimg one.


All that said, if you are using CUSTOM cloudinit, why not use native approach :
https://cloudinit.readthedocs.io/en/latest/reference/modules.html#set-passwords

Cheers

---

Blockbridge : Ultra low latency all-NVME shared storage for Proxmox - https://www.blockbridge.com/proxmox

 

[muzammal]

Hey, thanks for the response! First off, I’m new to PVE and also to this forum, so apologies if I’m a bit lost.

1. I realized it’s not fully PVE-related, but I wasn’t sure where else to ask. I’m using a snippet config file and assigning it to the VM before starting it. Some settings get applied, but others don’t, and when I try to log in, it says the password is wrong. Not sure if I messed up the password hashing.
2. Yeah, I did change the file manually after logging in with the key, but even after that, I still can’t use the password to log in.
3. I haven’t tried using the console yet—I’ve been using noVNC. I logged in with the username and password, but I’ll try the QM terminal stuff and let you know how that goes.
4. I was messing around with cloud-init, so I deleted the VM to spin up a new one and will update you after running that command.
5. The line isn’t exactly the same as before, but this is what I changed.

#PasswordAuthentication yes
          to
          PasswordAuthentication yes

6.

cat /etc/ssh/sshd_config.d/60-cloudimg-settings.conf

How do I add this file to my template? I’m not sure how to edit the official Ubuntu cloud-init VM and add my customizations. Also, you mentioned "OUR IMAGE." Does Proxmox provide cloud-init VMs for Ubuntu and other distros, or did I misunderstand something?
7. It’s the official Ubuntu Cloud-Init image (Ubuntu 24), hope that helps.
So, from what I’ve gathered, I understood two things:

1. I can use the official Cloud-Init image and just add my override files to apply my changes.
2. Or, I can use custom images.

And my goal is pretty simple: I want to create a Cloud-Init template, then clone it to create VMs that will allow me to use my public IP (which I can assign using the Cloud-Init section in the VM settings) to SSH into them (without relying on keys). That’s all I need, no extra customization beyond that.
Best regards,
Muzammal

 

[bbgeek17]

I’m using a snippet config file and assigning it to the VM before starting it.

So you are using what is called "Custom CloudInit" in PVE terminology.

Some settings get applied, but others don’t, and when I try to log in, it says the password is wrong.

Creation, processing and troubleshooting of Custom CI files is completely outside of PVE purview. You need to get access to the VM and review CI logs for more information. Generally, just keep experimenting with it.

Yeah, I did change the file manually after logging in with the key, but even after that, I still can’t use the password to log in.

Most likely due to the changed setting in Primary config file being overwritten by secondary config, as describe in my prior reply. I've also given you a command to find out what SSHD thinks about it's current/live configuration - its a great way to troubleshoot things.

I haven’t tried using the console yet—I’ve been using noVNC. I logged in with the username and password, but I’ll try the QM terminal stuff and let you know how that goes.

Its the same thing.

How do I add this file to my template?

It is already there. Its part of the official Image.

I’m not sure how to edit the official Ubuntu cloud-init VM and add my customizations.

You don't edit official image (you could but you shouldn't). Apply customization via your Snippet file.

Also, you mentioned "OUR IMAGE." Does Proxmox provide cloud-init VMs for Ubuntu and other distros, or did I misunderstand something?

I do not work for Proxmox GmbH. "Our" as in something we use internally in our company. You can disregard that statement, we mostly use official images. And, no, Proxmox does not provide custom VM OS images.

So, from what I’ve gathered, I understood two things:

1. I can use the official Cloud-Init image and just add my override files to apply my changes.
2. Or, I can use custom images.

Use official image and apply a CI snippet that enables the functionality you need. I've given you the link to the required keywords in prior reply.

And my goal is pretty simple: I want to create a Cloud-Init template, then clone it to create VMs that will allow me to use my public IP (which I can assign using the Cloud-Init section in the VM settings) to SSH into them (without relying on keys). That’s all I need, no extra customization beyond that.

I would highly recommend not placing your VMs on public Internet with username and password, or until you get more familiar with Linux and its processes. SSH Key authetication is more secure. It is preferred by all the major Distros, as evident by the fact that they proactively disable password based authentication.

Cheers

---

Blockbridge : Ultra low latency all-NVME shared storage for Proxmox - https://www.blockbridge.com/proxmox

 

[muzammal]

Hey thanks again for your reply and i found another tutorial and it works i can use password to access my vms now.

I would highly recommend not placing your VMs on public Internet with username and password, or until you get more familiar with Linux and its processes. SSH Key authetication is more secure. It is preferred by all the major Distros, as evident by the fact that they proactively disable password based authentication.

Don't worry, I've set up UFW and Fail2Ban, and I think that's good enough. To make it extra secure, I also add keys, and I mostly use passwords only when I'm not on my main machine, so yeah, it's secure enough for me.