Observation
I noticed on both my servers, after upgrading to v68, that the daily status checks again reported The SSH server on this machine permits password-based login… despite PasswordAuthentication no being set in /etc/ssh/sshd_config. I expected to find my I /etc/ssh/sshd_config files overwritten by an upgrade but upon inspection I found they were exactly as I left them.
Problem
The instructions given in the status check text as “…set the option ‘PasswordAuthentication no’ in /etc/ssh/sshd_config…” is slightly misleading on some Linux distributions.
Explanation
Some time ago the openssh project had implemented what their contributors thought was a more convenient way to change sshd configuration settings by adding a wildcard include statement in the file which brought in all *.conf files from the /etc/ssh/sshd_config.d/ directory with higher precedence. That was never a problem until through a series of unfortunate events the openssh package came to include a file called 50-cloud-init.conf into that directory in which PasswordAuthentication yes was set.
Solution
Although technically the value of PasswordAuthentication still is set in /etc/ssh/sshd_config, the instructions of how to change the effective value should be updated to make unsuspecting users aware of the fact that in some cases the value in /etc/ssh/sshd_config itself is getting overridden by include files, typically .conf files from the /etc/ssh/sshd_config.d/ directory.