I accidentally attempted to SSH into one of my servers from a device that did not contain my ssh key. I configure all of my servers to only allow authentication via cryptographic keys. Root ssh as well as password auth are disabled.
To my surprise, I was able to log in to my server with a password despite this. Baffled, I first tried some other servers. 2 of the 5 other servers I tried were accessabke via password.
After some swift investigation the culprit was found, a cloud-init ssh config in sshd_config.d/ with one line: password_authentication Yes.
So TLDR PSA…if you run a server in any type of virtualized environment, including a VPS, check your /etc/ssh/sshd_config.d/ folder. And more broadly, actually thoroughly test your ssh access to confirm everything is working as you intend it to.
Yeah that sounds pretty bad. Is there a quick way to disable ssh keys to test?
Show your effective sshd server config:
sudo sshd -T
/etc/ssh/ssh.d/
You mean
/etc/ssh/sshd_config.d
?Fixed it. Thanks