feat: configure disable ssh password field (backport #1234) by mergify[bot] · Pull Request #1239 · harvester/harvester-installer

mergify · 2026-03-10T12:18:02Z

Configuring password authentication field during installation process which is now part of merged general purpose panel Optional: configure SSH so users can enable/disable this as well per the documentation.

In documentation we suggest configuring the now deprecated:

challengeresponseauthentication

which is replaced with:

kbdinteractiveauthentication

so configuring that parameter instead as openssh version on the node is 10.0. The other configuration is as per the suggested in the documentation.

Problem:

We can configure ssh based password authentication post install and we have it in docs only

Solution:

Enable/Disable it during installation before first boot

Related Issue(s):

harvester/harvester#8548

Test plan:

Go through installation panels and test four possibilities of the now merged Optional: configure SSH panel:

When no SSH key is configured (Scenario 1):
- ssh on the node with password should be enabled by default
- no config files to disable it should be present on the node
When SSH key is configured (Scenario 2):
- disabling SSH through password should be configurable and by default enabled so ssh through it should be enabled as well
- no config files to disable it should be present on the node
When SSH key is configured (Scenario 3):
- disabling SSH through password should be configurable so ssh with password should be rejected
- when setting it to Disabled config file disabling password authentication should be present on the host
When SSH key is configured then navigating back and deleting it (Scenario 4):
- config should be the same as in Scenario 3 (e.g. no ability to disable both ssh through pass and key, if key missing by default password auth is enabled)

Note: every time you go back to a panel you configure all it's variables the config does not keep state. So if you delete the ssh URL field for example while on the panel you won't be able to select enable/disable password auth so by default it would be Scenario 1

Scenario 1

Config:

mdekov@localhost:~> ssh rancher@192.168.122.135
The authenticity of host '192.168.122.135 (192.168.122.135)' can't be established.
ED25519 key fingerprint is: SHA256:hJN9/oUxh0EaPVUlutPrDBFza8uB0EK2ZJ/NcU3UhtE
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.122.135' (ED25519) to the list of known hosts.
(rancher@192.168.122.135) Password: 
Have a lot of fun...
rancher@node-1:~> sudo sshd -T | grep -E 'passwordauthentication|kbdinteractive|usepam'
usepam yes
passwordauthentication yes
kbdinteractiveauthentication yes
rancher@node-1:~> cat /etc/ssh/sshd_config.d/99-disable-password-auth.conf 
cat: /etc/ssh/sshd_config.d/99-disable-password-auth.conf: No such file or directory
rancher@node-1:~> ssh -V
OpenSSH_10.0p2, OpenSSL 3.5.0 8 Apr 2025

Scenario 2

Config:

mdekov@localhost:~> ssh rancher@192.168.122.246
The authenticity of host '192.168.122.246 (192.168.122.246)' can't be established.
ED25519 key fingerprint is: SHA256:vWQ8C7muHq1NdyfOGKjSzsQgJaMKFVywEYM5RD/dxxg
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.122.246' (ED25519) to the list of known hosts.
Have a lot of fun...
rancher@node-1:~> exit
logout
Connection to 192.168.122.246 closed.
mdekov@localhost:~> ssh -o PreferredAuthentications=password rancher@192.168.122.246
rancher@192.168.122.246's password: 
Have a lot of fun...
rancher@node-1:~> sudo sshd -T | grep -E 'passwordauthentication|kbdinteractive|usepam'
usepam yes
passwordauthentication yes
kbdinteractiveauthentication yes
rancher@node-1:~> cat /etc/ssh/sshd_config.d/99-disable-password-auth.conf 
cat: /etc/ssh/sshd_config.d/99-disable-password-auth.conf: No such file or directory
rancher@node-1:~> ssh -V
OpenSSH_10.0p2, OpenSSL 3.5.0 8 Apr 2025

Scenario 3

Config:

mdekov@localhost:~> ssh rancher@192.168.122.174
The authenticity of host '192.168.122.174 (192.168.122.174)' can't be established.
ED25519 key fingerprint is: SHA256:UcYiw/giUnu5jPLa5qUn8lUHj85C5+BDj6jMYHZ8uu4
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.122.174' (ED25519) to the list of known hosts.
rancher@node-1:~> exit
logout
Connection to 192.168.122.174 closed.
mdekov@localhost:~> ssh -o PreferredAuthentications=password rancher@192.168.122.246
ssh: connect to host 192.168.122.246 port 22: No route to host
mdekov@localhost:~> ssh rancher@192.168.122.174
rancher@node-1:~> sudo sshd -T | grep -E 'passwordauthentication|kbdinteractive|usepam'
usepam no
passwordauthentication no
kbdinteractiveauthentication no
rancher@node-1:~> cat /etc/ssh/sshd_config.d/99-disable-password-auth.conf 
PasswordAuthentication no
KbdInteractiveAuthentication no
UsePAM no
rancher@node-1:~> ssh -V
OpenSSH_10.0p2, OpenSSL 3.5.0 8 Apr 2025

Scenario 4

Config:

mdekov@localhost:~> ssh rancher@192.168.122.174
The authenticity of host '192.168.122.174 (192.168.122.174)' can't be established.
ED25519 key fingerprint is: SHA256:UcYiw/giUnu5jPLa5qUn8lUHj85C5+BDj6jMYHZ8uu4
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.122.174' (ED25519) to the list of known hosts.
rancher@node-1:~> exit
logout
Connection to 192.168.122.174 closed.
mdekov@localhost:~> ssh -o PreferredAuthentications=password rancher@192.168.122.246
ssh: connect to host 192.168.122.246 port 22: No route to host
mdekov@localhost:~> ssh rancher@192.168.122.174
rancher@node-1:~> sudo sshd -T | grep -E 'passwordauthentication|kbdinteractive|usepam'
usepam no
passwordauthentication no
kbdinteractiveauthentication no
rancher@node-1:~> cat /etc/ssh/sshd_config.d/99-disable-password-auth.conf 
PasswordAuthentication no
KbdInteractiveAuthentication no
UsePAM no
rancher@node-1:~> ssh -V
OpenSSH_10.0p2, OpenSSL 3.5.0 8 Apr 2025

Additional documentation or context

N/A

This is an automatic backport of pull request #1234 done by Mergify.

* feat: configure disable ssh password field Configuring password authentication field during installation process which is now part of merged general purpose panel: "Optional: configure SSH" so users can enable/disable this as well per the documentation. In documentation we suggest configuring the now deprecated: `challengeresponseauthentication` which is replaced with: `kbdinteractiveauthentication` so configuring that parameter instead as openssh version on the node is 10.0. The other configuration is as per the suggested in the documentation. Signed-off-by: Martin Dekov <martin.dekov@suse.com> (cherry picked from commit b17d47c)

w13915984028

LGTM, thanks.

mergify bot mentioned this pull request Mar 10, 2026

feat: configure disable ssh password field #1234

Merged

martindekov requested review from a team, Vicente-Cheng, bk201, ihcsim, votdev and w13915984028 March 10, 2026 12:18

w13915984028 approved these changes Mar 10, 2026

View reviewed changes

martindekov merged commit 6f160cd into v1.8 Mar 10, 2026
8 of 9 checks passed

martindekov deleted the mergify/bp/v1.8/pr-1234 branch March 10, 2026 12:40

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: configure disable ssh password field (backport #1234)#1239

feat: configure disable ssh password field (backport #1234)#1239
martindekov merged 1 commit intov1.8from
mergify/bp/v1.8/pr-1234

mergify bot commented Mar 10, 2026

Uh oh!

w13915984028 left a comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

mergify bot commented Mar 10, 2026

Problem:

Solution:

Related Issue(s):

Test plan:

Additional documentation or context

Uh oh!

w13915984028 left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants