Fix SSH password auth for Ubuntu cloud VMs

- Add step to fix cloud-init drop-in file that disables password auth - Update doc paths in Post-Creation section - Password auth is default for Echo6 (all machines behind VPN) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-07 00:14:09 +01:00 · 2026-02-07 00:14:09 +01:00 · 89834796ff
commit 89834796ff
parent 880ff09c90
1 changed files with 16 additions and 10 deletions
--- a/runbooks/proxmox-create-ubuntu-vm.md
+++ b/runbooks/proxmox-create-ubuntu-vm.md
@ -151,18 +151,25 @@ ssh zvx@$VM_IP 'sudo apt-get update && sudo apt-get install -y \
  sudo'
 ```

-## Step 8 — SSH Keys
+## Step 8 — Enable Password Authentication
+
+Ubuntu cloud images default to key-only SSH via a drop-in config. Enable password auth since all machines are behind VPN/local network.

 ```bash
-# Copy authorized_keys from an existing node
-scp root@data:/home/zvx/.ssh/authorized_keys /tmp/ak 2>/dev/null \
-  || scp root@utility:/home/zvx/.ssh/authorized_keys /tmp/ak 2>/dev/null
+# Fix the cloud-init drop-in that disables password auth
+ssh zvx@$VM_IP 'echo "PasswordAuthentication yes" | sudo tee /etc/ssh/sshd_config.d/60-cloudimg-settings.conf'

-scp /tmp/ak zvx@$VM_IP:~/.ssh/authorized_keys
-ssh zvx@$VM_IP 'chmod 600 ~/.ssh/authorized_keys'
-rm -f /tmp/ak
+# Also set in main config for completeness
+ssh zvx@$VM_IP 'sudo sed -i "s/^#*PasswordAuthentication.*/PasswordAuthentication yes/" /etc/ssh/sshd_config'
+ssh zvx@$VM_IP 'sudo sed -i "s/^#*KbdInteractiveAuthentication.*/KbdInteractiveAuthentication yes/" /etc/ssh/sshd_config'
+ssh zvx@$VM_IP 'sudo systemctl restart ssh'
+
+# Change the default password immediately
+ssh zvx@$VM_IP 'passwd'
 ```

+**Important:** Password authentication is the default for Echo6 infrastructure. All machines are protected by VPN (Headscale/Tailscale) and local network — key-only auth creates unnecessary friction for multi-machine access.
+
 ## Step 9 — NVIDIA Drivers (if GPU passthrough)

 Skip if `INSTALL_NVIDIA=no`.
@ -261,7 +268,6 @@ docker exec headscale-standby headscale nodes list

 ## Post-Creation

-1. Update `~/.claude/docs/infrastructure/environment.md` with the new VM's IP and Tailscale IP
-2. Update `~/.claude/docs/infrastructure/services.md` once services are deployed
+1. Update `/home/zvx/projects/.ref/docs/hardware/environment.md` with the new VM's IP and Tailscale IP
+2. Update `/home/zvx/projects/.ref/docs/services/services.md` once services are deployed
 3. Remove the cloud image ISO if disk space is tight: `ssh root@$PVE_HOST 'rm /var/lib/vz/template/iso/noble-server-cloudimg-amd64.img'`
-4. Change the default password: `ssh zvx@$VM_IP 'passwd'`