disable_root: 1 but root can still log in

from doc/examples/cloud-config.txt
(which should be moved over to readthedocs and improved):

# disable ssh access as root.
# if you want to be able to ssh in to the system as the root user
# rather than as the 'ubuntu' user, then you must set this to false
# default: true
disable_root: false

to *disable* root access you need to turn that to true (the default value).
to *enable* you would turn it to false.

I've just verified that by default on Ubuntu ssh root@ willi give you the "log in as ubuntu" message.
If you provide:
#cloud-config
disable_root: false

then you'll be able to straight in as root with the keys you provdied.

cloud-init does not currently manipulate sshd_config PermitRootLogin

My comment above might have been confusing, I'm sorry.

Just to check if this was working I launched an instance in openstack of CentOS-7-x86_64-GenericCloud-1708-disk1.img from http://cloud.centos.org/centos/7/images/ .

Without any user-data (default behavior):

  $ ssh root@10.5.0.3
  Please login as the user "centos" rather than the user "root".

  $ ssh centos@10.5.0.3
  [centos@inst-20171211-182508 ~]$

When providing user-data like
  $ cat my.yaml
  #cloud-config
  disable_root: false

  $ openstack server create --user-data=my.yaml \
      --key-name=brickies --flavor=m1.small \
      --image=smoser-images/CentOS-7-x86_64-GenericCloud-1708-disk1.img \
      inst-20171211-183052

  ...

  $ ssh root@10.5.0.13
  Last login: Mon Dec 11 18:31:52 2017 from 10.5.0.9
  [root@inst-20171211-182959 ~]#

So this looks like it is functioning as designed.

I'm going to set this to 'incomplete'. If it isn't working this way for you, please collect any /etc/cloud/cloud.cfg* files you have in your images and /var/lib/cloud and /var/log/cloud* and attach, and then set to 'New'.

Thanks.
Scott

[Expired for cloud-init because there has been no activity for 60 days.]

Tracked in Github Issues as https://github.com/canonical/cloud-init/issues/3083