diff --git a/runbooks/proxmox-create-ubuntu-vm.md b/runbooks/proxmox-create-ubuntu-vm.md
index c010862..51c3564 100644
--- a/runbooks/proxmox-create-ubuntu-vm.md
+++ b/runbooks/proxmox-create-ubuntu-vm.md
@@ -151,18 +151,25 @@ ssh zvx@$VM_IP 'sudo apt-get update && sudo apt-get install -y \
   sudo'
 ```
 
-## Step 8 — SSH Keys
+## Step 8 — Enable Password Authentication
+
+Ubuntu cloud images default to key-only SSH via a drop-in config. Enable password auth since all machines are behind VPN/local network.
 
 ```bash
-# Copy authorized_keys from an existing node
-scp root@data:/home/zvx/.ssh/authorized_keys /tmp/ak 2>/dev/null \
-  || scp root@utility:/home/zvx/.ssh/authorized_keys /tmp/ak 2>/dev/null
+# Fix the cloud-init drop-in that disables password auth
+ssh zvx@$VM_IP 'echo "PasswordAuthentication yes" | sudo tee /etc/ssh/sshd_config.d/60-cloudimg-settings.conf'
 
-scp /tmp/ak zvx@$VM_IP:~/.ssh/authorized_keys
-ssh zvx@$VM_IP 'chmod 600 ~/.ssh/authorized_keys'
-rm -f /tmp/ak
+# Also set in main config for completeness
+ssh zvx@$VM_IP 'sudo sed -i "s/^#*PasswordAuthentication.*/PasswordAuthentication yes/" /etc/ssh/sshd_config'
+ssh zvx@$VM_IP 'sudo sed -i "s/^#*KbdInteractiveAuthentication.*/KbdInteractiveAuthentication yes/" /etc/ssh/sshd_config'
+ssh zvx@$VM_IP 'sudo systemctl restart ssh'
+
+# Change the default password immediately
+ssh zvx@$VM_IP 'passwd'
 ```
 
+**Important:** Password authentication is the default for Echo6 infrastructure. All machines are protected by VPN (Headscale/Tailscale) and local network — key-only auth creates unnecessary friction for multi-machine access.
+
 ## Step 9 — NVIDIA Drivers (if GPU passthrough)
 
 Skip if `INSTALL_NVIDIA=no`.
@@ -261,7 +268,6 @@ docker exec headscale-standby headscale nodes list
 
 ## Post-Creation
 
-1. Update `~/.claude/docs/infrastructure/environment.md` with the new VM's IP and Tailscale IP
-2. Update `~/.claude/docs/infrastructure/services.md` once services are deployed
+1. Update `/home/zvx/projects/.ref/docs/hardware/environment.md` with the new VM's IP and Tailscale IP
+2. Update `/home/zvx/projects/.ref/docs/services/services.md` once services are deployed
 3. Remove the cloud image ISO if disk space is tight: `ssh root@$PVE_HOST 'rm /var/lib/vz/template/iso/noble-server-cloudimg-amd64.img'`
-4. Change the default password: `ssh zvx@$VM_IP 'passwd'`