diff --git a/misc/cloud-init.sh b/misc/cloud-init.sh
index c42a0e444..c50ae6ff8 100644
--- a/misc/cloud-init.sh
+++ b/misc/cloud-init.sh
@@ -120,16 +120,7 @@ EOF
 
   msg_ok "Cloud-Init configured (User: ${ciuser})" 2>/dev/null || echo "[OK] Cloud-Init configured (User: ${ciuser})"
 
-  # Display password info
-  if [ -n "${INFO:-}" ]; then
-    echo -e "${INFO}${BOLD:-} Cloud-Init Password: ${BGN:-}${cipassword}${CL:-}"
-    echo -e "${INFO}${BOLD:-} Credentials saved to: ${BGN:-}${cred_file}${CL:-}"
-  else
-    echo "[INFO] Cloud-Init Password: ${cipassword}"
-    echo "[INFO] Credentials saved to: ${cred_file}"
-  fi
-
-  # Export for use in calling script
+  # Export for use in calling script (DO NOT display password here - will be shown in summary)
   export CLOUDINIT_USER="$ciuser"
   export CLOUDINIT_PASSWORD="$cipassword"
   export CLOUDINIT_CRED_FILE="$cred_file"
@@ -226,26 +217,20 @@ function display_cloud_init_info() {
     if [ -n "${INFO:-}" ]; then
       echo -e "\n${INFO}${BOLD:-}${GN:-} Cloud-Init Configuration:${CL:-}"
       echo -e "${TAB:-  }${DGN:-}User: ${BGN:-}${CLOUDINIT_USER:-root}${CL:-}"
-      echo -e "${TAB:-  }${DGN:-}Password: ${BGN:-}${CLOUDINIT_PASSWORD:-(saved in file)}${CL:-}"
-      echo -e "${TAB:-  }${DGN:-}Credentials: ${BGN:-}${CLOUDINIT_CRED_FILE}${CL:-}"
+      echo -e "${TAB:-  }${DGN:-}Password: ${BGN:-}${CLOUDINIT_PASSWORD}${CL:-}"
+      echo -e "${TAB:-  }${DGN:-}Credentials: ${BL:-}${CLOUDINIT_CRED_FILE}${CL:-}"
+      echo -e "${TAB:-  }${YW:-}💡 You can configure Cloud-Init settings in Proxmox UI:${CL:-}"
+      echo -e "${TAB:-  }${YW:-}   VM ${vmid} > Cloud-Init > Edit (User, Password, SSH Keys, Network)${CL:-}"
     else
       echo ""
       echo "[INFO] Cloud-Init Configuration:"
       echo "  User: ${CLOUDINIT_USER:-root}"
-      echo "  Password: ${CLOUDINIT_PASSWORD:-(saved in file)}"
+      echo "  Password: ${CLOUDINIT_PASSWORD}"
       echo "  Credentials: ${CLOUDINIT_CRED_FILE}"
+      echo "  You can configure Cloud-Init settings in Proxmox UI:"
+      echo "  VM ${vmid} > Cloud-Init > Edit"
     fi
   fi
-
-  # Show Proxmox UI info
-  if [ -n "${INFO:-}" ]; then
-    echo -e "\n${INFO}${BOLD:-}${YW:-} You can configure Cloud-Init settings in Proxmox UI:${CL:-}"
-    echo -e "${TAB:-  }${DGN:-}VM ${vmid} > Cloud-Init > Edit (User, Password, SSH Keys, Network)${CL:-}"
-  else
-    echo ""
-    echo "[INFO] You can configure Cloud-Init settings in Proxmox UI:"
-    echo "  VM ${vmid} > Cloud-Init > Edit"
-  fi
 }
 
 # ==============================================================================
diff --git a/vm/docker-vm.sh b/vm/docker-vm.sh
index 8cc6488c6..74a425db3 100644
--- a/vm/docker-vm.sh
+++ b/vm/docker-vm.sh
@@ -19,7 +19,6 @@ function header_info() {
 
 EOF
 }
-
 header_info
 echo -e "\n Loading..."
 GEN_MAC=02:$(openssl rand -hex 5 | awk '{print toupper($0)}' | sed 's/\(..\)/\1:/g; s/.$//')
@@ -275,9 +274,17 @@ function get_image_url() {
   local arch=$(dpkg --print-architecture)
   case $OS_TYPE in
   debian)
-    echo "https://cloud.debian.org/images/cloud/${OS_CODENAME}/latest/debian-${OS_VERSION}-nocloud-${arch}.qcow2"
+    # Debian has two variants:
+    # - generic: For Cloud-Init enabled VMs
+    # - nocloud: For VMs without Cloud-Init (has console auto-login)
+    if [ "$USE_CLOUD_INIT" = "yes" ]; then
+      echo "https://cloud.debian.org/images/cloud/${OS_CODENAME}/latest/debian-${OS_VERSION}-generic-${arch}.qcow2"
+    else
+      echo "https://cloud.debian.org/images/cloud/${OS_CODENAME}/latest/debian-${OS_VERSION}-nocloud-${arch}.qcow2"
+    fi
     ;;
   ubuntu)
+    # Ubuntu only has cloudimg variant (always with Cloud-Init support)
     echo "https://cloud-images.ubuntu.com/${OS_CODENAME}/current/${OS_CODENAME}-server-cloudimg-${arch}.img"
     ;;
   esac
@@ -611,7 +618,6 @@ msg_info "Adding Docker and Docker Compose to ${OS_DISPLAY} Qcow2 Disk Image"
 export LIBGUESTFS_BACKEND_SETTINGS=dns=8.8.8.8,1.1.1.1
 
 # Always create first-boot installation script as fallback
-msg_info "Preparing first-boot installation script as fallback"
 virt-customize -q -a "${FILE}" --run-command "cat > /root/install-docker.sh << 'INSTALLEOF'
 #!/bin/bash
 # Log output to file
@@ -705,16 +711,10 @@ WantedBy=multi-user.target
 SERVICEEOF" >/dev/null
 
 virt-customize -q -a "${FILE}" --run-command "systemctl enable install-docker.service" >/dev/null
-msg_ok "First-boot installation script prepared"
 
 # Try to install packages and Docker during image customization
-msg_info "Attempting to install packages during image customization"
 DOCKER_INSTALLED_ON_FIRST_BOOT="yes" # Assume first-boot by default
 if virt-customize -a "${FILE}" --install qemu-guest-agent,curl,ca-certificates 2>/dev/null; then
-  msg_ok "Base packages installed successfully"
-
-  # Try Docker installation
-  msg_info "Installing Docker via get.docker.com"
   if virt-customize -q -a "${FILE}" --run-command "curl -fsSL https://get.docker.com | sh" 2>/dev/null &&
     virt-customize -q -a "${FILE}" --run-command "systemctl enable docker" 2>/dev/null; then
 
@@ -748,6 +748,19 @@ virt-customize -q -a "${FILE}" --hostname "${HN}" >/dev/null
 virt-customize -q -a "${FILE}" --run-command "truncate -s 0 /etc/machine-id" >/dev/null
 virt-customize -q -a "${FILE}" --run-command "rm -f /var/lib/dbus/machine-id" >/dev/null
 
+# Configure SSH to allow root login with password (Cloud-Init will set the password)
+virt-customize -q -a "${FILE}" --run-command "sed -i 's/^#*PermitRootLogin.*/PermitRootLogin yes/' /etc/ssh/sshd_config" >/dev/null 2>&1 || true
+virt-customize -q -a "${FILE}" --run-command "sed -i 's/^#*PasswordAuthentication.*/PasswordAuthentication yes/' /etc/ssh/sshd_config" >/dev/null 2>&1 || true
+
+# Disable console auto-login ONLY for Debian nocloud images with Cloud-Init enabled
+# (generic images don't have auto-login, Ubuntu images don't have auto-login)
+if [ "$USE_CLOUD_INIT" = "yes" ] && [ "$OS_TYPE" = "debian" ]; then
+  # Only needed for Debian nocloud variant (but we use generic when Cloud-Init is enabled)
+  # This is a safety measure in case we somehow use nocloud with Cloud-Init
+  virt-customize -q -a "${FILE}" --run-command "rm -f /etc/systemd/system/getty@tty1.service.d/autologin.conf" >/dev/null 2>&1 || true
+  virt-customize -q -a "${FILE}" --run-command "rm -f /etc/systemd/system/serial-getty@ttyS0.service.d/autologin.conf" >/dev/null 2>&1 || true
+fi
+
 msg_info "Expanding root partition to use full disk space"
 qemu-img create -f qcow2 expanded.qcow2 ${DISK_SIZE} >/dev/null 2>&1
 virt-resize --expand /dev/sda1 ${FILE} expanded.qcow2 >/dev/null 2>&1