Can't SSH into SoftLayer image with public key as vagrant user

I haven’t been able to vagrant up any softlayer box since May 2016:

vagrant up base02 --provider=softlayer
Bringing machine ‘base02’ up with ‘softlayer’ provider…
==> base02: Creating a new SoftLayer instance…
==> base02: Waiting for instance provisioning. This may take a few minutes…
==> base02: SoftLayer instance successfully provisioned!
==> base02: Waiting for machine to boot. This may take a few minutes…
base02: SSH address: 169.55.153.58:6395
base02: SSH username: vagrant
base02: SSH auth method: private key
base02: Warning: Authentication failure. Retrying…
base02: Warning: Authentication failure. Retrying…
base02: Warning: Authentication failure. Retrying…
base02: Warning: Authentication failure. Retrying…
base02: Warning: Authentication failure. Retrying…
base02: Warning: Authentication failure. Retrying…
base02: Warning: Authentication failure. Retrying…
base02: Warning: Authentication failure. Retrying…
base02: Warning: Authentication failure. Retrying…
base02: Warning: Authentication failure. Retrying…
base02: Warning: Authentication failure. Retrying…
base02: Warning: Authentication failure. Retrying…
base02: Warning: Authentication failure. Retrying…
base02: Warning: Authentication failure. Retrying…
base02: Warning: Authentication failure. Retrying…
base02: Warning: Authentication failure. Retrying…
base02: Warning: Authentication failure. Retrying…
base02: Warning: Authentication failure. Retrying…
base02: Warning: Authentication failure. Retrying…
base02: Warning: Authentication failure. Retrying…
base02: Warning: Authentication failure. Retrying…
base02: Warning: Authentication failure. Retrying…
base02: Warning: Authentication failure. Retrying…
base02: Warning: Authentication failure. Retrying…
base02: Warning: Authentication failure. Retrying…
base02: Warning: Authentication failure. Retrying…
base02: Warning: Authentication failure. Retrying…
base02: Warning: Authentication failure. Retrying…
base02: Warning: Authentication failure. Retrying…
Timed out while waiting for the machine to boot. This means that
Vagrant was unable to communicate with the guest machine within
the configured (“config.vm.boot_timeout” value) time period.
If you look above, you should be able to see the error(s) that
Vagrant had when attempting to connect to the machine. These errors
are usually good hints as to what may be wrong.
If you’re using a custom box, make sure that networking is properly
working and you’re able to connect to the machine. It is a common
problem that networking isn’t setup properly in these boxes.
Verify that authentication configurations are also setup properly,
as well.
If the box appears to be booting properly, you may want to increase
the timeout (“config.vm.boot_timeout”) value.

I found that ssh simply doesn’t work with the vagrant user on a softlayer box.
I’m able to SSH into the softlayer box with a different user created the exact same way as vagrant, with identical SSH settings (configurations and SSH keys).
I’m able to SSH in with vagrant user into a virtualbox image built the exact same way as the softlayer box.
I was still able to SSH in with vagrant user into this softlayer image May this year.

$ ssh vagrant@169.55.153.58 -p 6395 -i ./vagrant-secure-private.key -v
OpenSSH_7.2p2, OpenSSL 1.0.2j 26 Sep 2016
debug1: Connecting to 169.55.153.58 [169.55.153.58] port 6395.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file ./ncw-vagrant-secure-private.key type -1
debug1: key_load_public: No such file or directory
debug1: identity file ./ncw-vagrant-secure-private.key-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000000
debug1: Authenticating to 169.55.153.58:6395 as ‘vagrant’
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: diffie-hellman-group-exchange-sha256
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-ctr MAC: umac-64@openssh.com compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: umac-64@openssh.com compression: none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(2048<3072<8192) sent
debug1: got SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: got SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: ssh-rsa SHA256:IfJVeqsRAeL15hsMh0atBbTB6+1zFFCnhecmiIHK/MQ
debug1: Host ‘[169.55.153.58]:6395’ is known and matches the RSA host key.
debug1: Found key in /home/chastina.li/.ssh/known_hosts:1
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Next authentication method: publickey
debug1: Trying private key: ./vagrant-secure-private.key
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

vagrant user and SSH setup:

#!/bin/bash -e
/usr/sbin/groupadd vagrant
/usr/sbin/useradd vagrant -g vagrant -G wheel
echo “vagrant ALL=(ALL) NOPASSWD: ALL” > /etc/sudoers.d/vagrant
chmod 440 /etc/sudoers.d/vagrant
mkdir /home/vagrant/.ssh
chmod 700 /home/vagrant/.ssh
cp /tmp/vagrant.pub /home/vagrant/.ssh/authorized_keys
chmod 600 /home/vagrant/.ssh/authorized_keys
chown -R vagrant /home/vagrant/.ssh
cp /etc/sudoers /tmp/sudoers.old
sed “s/Defaults +requiretty/#Defaults requiretty/” /tmp/sudoers.old > /etc/sudoers
rm /tmp/sudoers.old
echo “UseDNS no” >> /etc/ssh/sshd_config

/etc/ssh/sshd_config:

# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
Port 6395
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
# Disable legacy (protocol version 1) support in the server for new
# installations. In future the default will change to require explicit
# activation of protocol 1
\Protocol 2
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
#HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedKeysCommand none
#AuthorizedKeysCommandRunAs nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don’t trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don’t read the user’s ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords yes
PasswordAuthentication no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes
# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
# Set this to ‘yes’ to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of “PermitRootLogin without-password”.
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to ‘no’.
#UsePAM no
UsePAM no
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
# no default banner path
#Banner none
# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server
UseDNS no
AllowUsers vagrant root

I wonder what changed since mid year?

Sorry but not sure we can be much help here. We only test and support the single base box that Trellis has by default.