If this is getting documented, then I’ll clarify my problem and resolution for you. Hopefully this helps someone else!
My SSH config already resembled the below, and it was already impossible for users to log in via SSH without a key (e.g. no logging in via SSH with a password). However, my problem was that users could not log into the console with their password either, and I needed to enable that. I found out what caused the above. My cloud-config file was creating a user with the password set, and the encrypted string was incorrect. However, part of my system provisioning process was to run `sudo password <username>` for that user, thus resetting the password. Unfortunately, immediately after running that command, I was shutting down the system, so that, on the next boot, the password was reset to the original value anyway. I corrected this by removing the user from the cloud-config entirely, and then adding the user on the command-line, rather than merely setting the password on the command-line. > On Jan 17, 2017, at 2:00 PM, Brandon Philips <[email protected]> > wrote: > > It would be great if someone could contribute a doc for this :) > https://github.com/coreos/docs <https://github.com/coreos/docs> > > > On Fri, Jan 6, 2017 at 2:51 PM Alex Crawford <[email protected] > <mailto:[email protected]>> wrote: > On 12/30, Grant Ellis wrote: > > I need to enable password login directly from the console, but only key > > login via SSH. Unfortunately, for my purposes, the autologin feature will > > not work because a password is required. That is, I need to provision > > CoreOS so that users can log in via SSH using a keypair (but not a > > password), and can also login from the physical console using a password. > > This can be done by setting ChallengeResponseAuthentication and > PasswordAuthentication to 'no'. > > You can replace /etc/ssh/sshd_config (a symlink to > /usr/share/ssh/sshd_config) with a file containing the following: > > Include /usr/share/ssh/sshd_config > > PasswordAuthentication no > ChallengeResponseAuthentication no > > This will amend the default config in /usr/share/ssh/sshd_config and > disable password auth for SSH only. > > -Alex
