feat(ssh): enable password auth out of the box

skulidropek · claude · skulidropek · commit a7d99b67631c · 2026-03-16T08:08:19.000Z
- PasswordAuthentication yes in sshd_config (was: no)
- Default password = SSH username (dev:dev) set via chpasswd at build time
- PubkeyAuthentication yes kept — authorized_keys still works if provided
- WHY: users need exactly one command to connect, no key setup required
- INVARIANT: sshCommand from REST API works immediately after clone/create

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/Dockerfile b/Dockerfile
@@ -15,14 +15,17 @@ RUN useradd -m -s /bin/bash dev
 # sshd runtime dir
 RUN mkdir -p /run/sshd
 
-# Harden sshd: disable password auth and root login
+# sshd: password auth enabled so users can connect without key setup
 RUN printf "%s\n" \
-  "PasswordAuthentication no" \
+  "PasswordAuthentication yes" \
   "PermitRootLogin no" \
   "PubkeyAuthentication yes" \
   "AllowUsers dev" \
   > /etc/ssh/sshd_config.d/dev.conf
 
+# Default password = username (works out of the box; key auth still accepted if authorized_keys provided)
+RUN echo "dev:dev" | chpasswd
+
 # Workspace in dev home
 RUN mkdir -p /home/dev/app && chown -R dev:dev /home/dev
 
diff --git a/packages/lib/src/core/templates/dockerfile.ts b/packages/lib/src/core/templates/dockerfile.ts
@@ -205,16 +205,19 @@ RUN printf "%s\\n" "${config.sshUser} ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/$
 # sshd runtime dir
 RUN mkdir -p /run/sshd
 
-# Harden sshd: disable password auth and root login
+# sshd: password auth enabled so users can connect without key setup
 RUN printf "%s\\n" \
-  "PasswordAuthentication no" \
+  "PasswordAuthentication yes" \
   "PermitRootLogin no" \
   "PubkeyAuthentication yes" \
   "X11Forwarding yes" \
   "X11UseLocalhost yes" \
   "PermitUserEnvironment yes" \
   "AllowUsers ${config.sshUser}" \
-  > /etc/ssh/sshd_config.d/${config.sshUser}.conf`
+  > /etc/ssh/sshd_config.d/${config.sshUser}.conf
+
+# Default password = username (works out of the box; key auth still accepted if authorized_keys provided)
+RUN echo "${config.sshUser}:${config.sshUser}" | chpasswd`
 
 const renderDockerfileWorkspace = (config: TemplateConfig): string =>
   `# Workspace path (supports root-level dirs like /repo)
