Comment 1 for bug 1677205

I think the change for the permissions would best happen in write_file.
We'd like to say: use existing mode if the file exists, otherwise use X.

maybe an argument: use_existing_mode=True
that would use the existing mode if the file exixsted, otherwise would use 'mode'.
adn default that to False (for backwards compat).

A simpler change for *just this* looks like:
--- a/cloudinit/config/cc_set_passwords.py
+++ b/cloudinit/config/cc_set_passwords.py
@@ -215,7 +215,13 @@ def handle(_name, cfg, cloud, log, args):
                                                      pw_auth))

         lines = [str(l) for l in new_lines]
- util.write_file(ssh_util.DEF_SSHD_CFG, "\n".join(lines))
+ import os, stat
+ mode = 0o600
+ if os.path.exists(ssh_util.DEF_SSHD_CFG):
+ mode = stat.S_IMODE(os.lstat(ssh_util.DEF_SSHD_CFG).st_mode)
+
+ util.write_file(ssh_util.DEF_SSHD_CFG, "\n".join(lines) + "\n",
+ mode=mode)

         try:
             cmd = cloud.distro.init_cmd # Default service