disable_root: true does not disable ssh login as root user

[martipoe]

Bug report

I created a packer image for Debian 12 with key-based ssh root access for provisioning tasks during the build process.

When creating an instance from this image with Terraform, I want to disable ssh login for the root user and lock the password.

The documentation states:

disable_root: (boolean) Disable root login. Default: true

Therefore I apply the below user_data config in Terraform.

I can see that cloudinit is run, the file /etc/ssh/sshd_config.d/50-cloud-init.conf is created and disables ssh password auth:

PasswordAuthentication no

But root login using the packer ssh key is still possible. 'PermitRootLogin no' is missing.

Steps to reproduce the problem

#cloud-config
disable_root: true
ssh_pwauth: false

users:
   - name: root
      lock_passwd: true
    - name: ansible
      uid: 1000
      ...

Environment details

• Cloud-init version: 22.4.2-1+deb12u2
• Operating System Distribution: Debian 12
• Cloud provider, platform or installer type: nocloud

cloud-init logs

cloud-init.tar.gz

[TheRealFalcon]

@martipoe , thanks for the bug report.

It looks like this partially a documentation issue and partially a missing feature. The disable_root key really only applies to other keys specified in cloud-init's SSH module. Since the keys specified by that module get added to both the default user and root, setting disable_root to True will add something like the following to the key in /root/.ssh/authorized_keys: no-port-forwarding,no-agent-forwarding,no-X11-forwarding,command="echo 'Please login as the user \"ubuntu\" rather than the user \"root\".';echo;sleep 10;exit 142".

I'll update the documentation to reflect that, but setting PermitRootLogin no in the ssh config isn't something that cloud-init currently does.