After setting up ssh authentication via public/private key for my user account on my Ubuntu 22.04 server, I wanted to disable authentication via password for security reasons. So in /etc/ssh/sshd_conf I changed the entry PasswordAuthentication from yes (the default) to no:
# To disable tunneled clear text passwords, change to no here! PasswordAuthentication no
Then I restarted the ssh daemon with
sudo systemctl restart sshd.service
and tried to log on via ssh without my private key loaded into Pageant.
To my surprise I got the username and password prompt and could log in with my password. WTF??!
I got side tracked and forgot about the issue until today, when I set up two factor authentication for ssh. During that I RTFM and also looked into the files that exist in /etc/ssh/sshd_config.d. And there I found the reason for this failure:
The /etc/ssh/sshd_config file contains the following line as the first non comment entry:
Include /etc/ssh/sshd_config.d/*.conf
This means that it reads any of the *.conf files in the subdirectory sshd_config.d and treats their content as part of the configuration file at this very point.
There was only one file in there on my installation 50-cloud-init.conf:
PasswordAuthentication yes
Add to that the following description in the manual:
sshd(8) reads configuration data from /etc/ssh/sshd_config (or the file specified with -f on the command line). The file contains keyword-argument pairs, one per line. For each keyword, the first obtained value will be used. Lines starting with ‘#’ and empty lines are interpreted as comments.
And there you have it: The included file already contained a PasswordAuthentication entry, so the one which I added in the main configuration file had no effect, because it came after the include line.