disable_root: true does not disable ssh login as root user

[martipoe]

Bug report

I created a packer image for Debian 12 with key-based ssh root access for provisioning tasks during the build process.

When creating an instance from this image with Terraform, I want to disable ssh login for the root user and lock the password.

The documentation states:

disable_root: (boolean) Disable root login. Default: true

Therefore I apply the below user_data config in Terraform.

I can see that cloudinit is run, the file /etc/ssh/sshd_config.d/50-cloud-init.conf is created and disables ssh password auth:

PasswordAuthentication no

But root login using the packer ssh key is still possible. 'PermitRootLogin no' is missing.

Steps to reproduce the problem

#cloud-config
disable_root: true
ssh_pwauth: false

users:
   - name: root
      lock_passwd: true
    - name: ansible
      uid: 1000
      ...

Environment details

• Cloud-init version: 22.4.2-1+deb12u2
• Operating System Distribution: Debian 12
• Cloud provider, platform or installer type: nocloud

cloud-init logs

cloud-init.tar.gz