2 files changed, 17 insertions, 4 deletions

diff --git a/ChangeLog b/ChangeLog
index 2721d9cc..0ec4f49e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -90,6 +90,8 @@
    for a user if they do not exist. (LP: #1539317)
  - dmi data: fix failure of reading dmi data for unset dmi values
  - doc: mention label for nocloud datasource must be 'cidata' [Peter Hurley]
+ - ssh_pwauth: fix module to support 'unchanged' and match behavior
+   described in documentation [Chris Cosby]
 
 0.7.6:
  - open 0.7.6
diff --git a/cloudinit/config/cc_set_passwords.py b/cloudinit/config/cc_set_passwords.py
index 0c315361..58e1b713 100644
--- a/cloudinit/config/cc_set_passwords.py
+++ b/cloudinit/config/cc_set_passwords.py
@@ -45,8 +45,6 @@ def handle(_name, cfg, cloud, log, args):
         password = util.get_cfg_option_str(cfg, "password", None)
 
     expire = True
-    pw_auth = "no"
-    change_pwauth = False
     plist = None
 
     if 'chpasswd' in cfg:
@@ -104,11 +102,24 @@ def handle(_name, cfg, cloud, log, args):
     change_pwauth = False
     pw_auth = None
     if 'ssh_pwauth' in cfg:
-        change_pwauth = True
         if util.is_true(cfg['ssh_pwauth']):
+            change_pwauth = True
             pw_auth = 'yes'
-        if util.is_false(cfg['ssh_pwauth']):
+        elif util.is_false(cfg['ssh_pwauth']):
+            change_pwauth = True
             pw_auth = 'no'
+        elif str(cfg['ssh_pwauth']).lower() == 'unchanged':
+            log.debug('Leaving auth line unchanged')
+            change_pwauth = False
+        elif not str(cfg['ssh_pwauth']).strip():
+            log.debug('Leaving auth line unchanged')
+            change_pwauth = False
+        elif not cfg['ssh_pwauth']:
+            log.debug('Leaving auth line unchanged')
+            change_pwauth = False
+        else:
+            msg = 'Unrecognized value %s for ssh_pwauth' % cfg['ssh_pwauth']
+            util.logexc(log, msg)
 
     if change_pwauth:
         replaced_auth = False