fix: ensure Password and Challenge Response auth for SSH is disabled

Author: lowjoel

ebssurrogate/scripts/qemu-bootstrap-nix.sh

@@ -160,6 +160,15 @@ function clean_system {
 	# remove passwords in user-data-cloudimg.img (required for Packer login)
 	usermod -p '*' ubuntu
 	usermod -p '*' root
+
+  # Ensure that PasswordAuthentication is off
+  # From chroot-boostrap-nix.sh
+  sed -i -E \
+    -e 's/^#?\s*PasswordAuthentication\s+(yes|no)\s*$/PasswordAuthentication no/g' \
+    -e 's/^#?\s*ChallengeResponseAuthentication\s+(yes|no)\s*$/ChallengeResponseAuthentication no/g' \
+    /etc/ssh/sshd_config
+  grep -qE "^PasswordAuthentication\s+no" /etc/ssh/sshd_config \
+    || { echo "ERROR: PasswordAuthentication is not disabled in sshd_config"; exit 1; }
 }
 
 install_nix