On AWS I have managed to create an AMI with a modified Ubuntu 12.04 LTS amd64. I've added lots of packages and much of our own code and files. The cloud init is still there, and I'm sure should stay. However, it is undermining my automations by re-disabling root at run time, after I enabled it in the original volume that was used to create the snapshot for the AMI.
File /usr/share/pyshared/cloudinit/CloudConfig/cc_ssh.py appears to be connected to this. Since I am not experienced in Python coding, I have no idea what some of the functions it calls are, so I cannot really see what all this script is doing.
I could just add some init script of my own to run afterwards, somewhere, to just undo that and re-enable root. Is there a way, standardized or sanctioned by cloud init, to set a flag to indicate that disabling root login should not be done? Or should I just roll my own solution (later init to put back my own /root/.ssh/authorized_keys file).
I also see that this script is removing old host keys and regenerating new ones. That is something I'd like to keep (therefore I will not need to do this myself).
I also have the SSH listening port number changed to a number other than 22 (and security group set to allow access to that port only from my own IPs). That much did not get changed. This is good.
The code seems to check a
disable_rootboolean configuration value, so I'm guessing that you need to set this in/etc/cloud/cloud.cfg:There are 2 settings that relate to ssh in /etc/cloud/cloud.cfg. One blocks ssh in as root and the other blocks ssh in using a password. By default the cloud.cfg will block both all login direct as root and all ssh password based auth. These are the defaults:
1 for disable root turns on disabling root login and the 0 for ssh pwauth turns OFF being able to ssh in using a password. So if you WANT to be able to login as root AND do it with a password this is the required settings:
Keep in mind that setting ssh_pwauth to 1 allows password based auth globally NOT just for root.