SSH: Permission Denied after clone of template - Permission denied (publickey,gssapi-keyex,gssapi-with-mic)

Hey everyone! I’m having an issue where, after I clone a template in Proxmox of Rocky v9.4 VM, I can no longer SSH into the machine using a password. I could before I turned it into a template, but I suspect I messed something up by turning it into a template. Here’s some extra information because the VM had been customized before turning it into a Proxmox template:

Background
OS: RockyLinux 9.4 with the CIS Benchmark Server 1 security policy enabled (this also means the partitions are slightly different than default)
Installed & Configured: Fail2Ban, firewalld, cloud-init

What I’ve tried

  • Every combination of /etc/ssh/sshd_config that I can think of
  • Disabling fail2ban & firewalld, but neither of them were putting anything in their logs about blocking my IP since my subnet is set within fail2ban’s ignoreip setting
  • Making sure that my user had 700-level permissions on /root/.ssh & /home/user1/.ssh
  • SSHing from a separate machine on the same trusted subnet

SSH -v Output from workstation (more available upon request)

Authorized uses only. All activity may be monitored and reported.
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Next authentication method: publickey
debug1: get_agent_identities: agent returned 2 keys
debug1: Will attempt key: /Users/user1/.ssh/id_rsa 
debug1: Will attempt key: /Users/user1/.ssh/id_ecdsa 
debug1: Will attempt key: /Users/user1/.ssh/id_ecdsa_sk 
debug1: Will attempt key: /Users/user1/.ssh/id_ed25519 ED25519 SHA256: ~publickey~
debug1: Will attempt key: /Users/user1/.ssh/id_ed25519_sk 
debug1: Will attempt key: /Users/user1/.ssh/id_xmss 
debug1: Will attempt key: /Users/user1/.ssh/id_dsa 
debug1: Trying private key: /Users/user1/.ssh/id_rsa
debug1: Trying private key: /Users/user1/.ssh/id_ecdsa
debug1: Trying private key: /Users/user1/.ssh/id_ecdsa_sk
debug1: Offering public key: /Users/user1/.ssh/id_ed25519 ED25519 SHA256: ~publickey~
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Trying private key: /Users/user1/.ssh/id_ed25519_sk
debug1: Trying private key: /Users/user1/.ssh/id_xmss
debug1: Trying private key: /Users/user1/.ssh/id_dsa
debug1: No more authentication methods to try.
user1@xxx.xxx.xxx.xxx: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

Something to note: I did what I do for my Ubuntu templates where I delete all SSH hostkeys, remove the machine-id, apt/dnf clean, autoremove, and cloud-init clean. This doesn’t happen with the Ubuntu templates, but I’ve also never used the CIS Server 1 policies so it could be that causing issues.

Looks like you have ‘PasswordAuthentication’ set to ‘no’ ?

There are extra sshd config settings in /etc/ssh/sshd_config.d/ - is there anything in there that could be causing this issue ?

1 Like

James,

Sorry for the late reply, I’ve been out of town. You were actually spot on! The file 50-cloud-init.conf within /etc/ssh/sshd_config.d has one single line that disabled password authentication. It seems like I have much to learn about cloud-init still. Thanks for the help!