This. OVH's VPS had two .confs reenabling passwords. Now I know too.

I should specify that this was with AlmaLinux 9. The offending files were a 50-redhat.conf and a 50-cloud-init.conf.

default ubuntu 22.04 has at least one, too

In situations where I have more than one box, one (usually a little embedded SoC) gets openbsd on it, and is used as a bastion host, for exactly the reasons outlined here.

The problems I hit with using Linux for this were different ten years ago, but, based on this thread, things got worse on that side of the fence.

I always remove all 'includes' in sshd config, just to be sure I will not get any surprises later...

I think doing the opposite is better usually, never making changes to the main /etc/ssh/sshd_config and always add your own customizations to /etc/ssh/sshd_config.d/; that way you have clear separation of your own and distro configs, which makes life easier especially when upgrading sshd. Although I'll readily admit that I don't myself follow that advise all the time.

This. And give your drop-in a prefix like 00-*.conf.

Fwiw I don't think SSH adds the include line upstream. Most distros add it now.

Yes. I had a hard time figuring out if a low numbered prefix got final say, or the high numbered one.

and `sshd -T | grep -i password`

iirc the double config file nonsense is another genius move brought to you by debian maintainers.

it seriously bothered me that an update automatically re-enabled password authentication. i ended up switching to a different OS.

on updates you are asked if your conf file should be kept or overwritten, with further options like diff-comparison