I don't disagree, it's not exactly a uncommon practice. I think Raspberry pi for instance does this. Not defending it, totally stupid, just pointing out they aren't alone in this.
The fact passwords are on by default for sshd on most distributions is crazy.
Honestly, I agree. My ssh passwords aren't going to be brute-forced anytime this century. It's also pretty easy to put a fake sshd on port 22 and set the real one to some other port (preferably one low enough to still require root privileges though).
I don't have encrypted drives on all my devices. I don't want to have to worry about what could happen if one of those gets lost/stolen. I'd rather not leave keys or certificates lying around.
Also, things sometimes go wrong and I need to get access to a server from a device I've never been on. It's nice to be able to do that. Passwords do that.
To be fair, I usually have a single VPS which I keep as locked down as possible that has VPN access to the server I really need. The VPS doesn't even need to be running most of the time. So I can spin it up to get access to the VPN, then ssh into the server with a password. If the VPS gets compromised, the VPN alone won't give an attacker immediate access to the server like it would if I left keys / certificates on there. I have to trust the VPS, and if it gets compromised without me noticing, and I then log in to my server, yeah, I'm SOL, but certificates don't solve that problem.
That is not the only time you use passwords over ssh, e.g. I don't use a password to remote into my desktop from my laptop, but I do use one when using sudo on the desktop.
So many other options: not enabling sshd per default, ask for a password, display a random password on the phone, allow uploading a public key... possibilities are endless.
This is definitely true... and a lot of people are doing it wrong.
This is one of those things that drives me nuts as an experienced/old developer, seeing people type passwords for ssh/git/whatever several times per day. Sometimes there are tasks that require copying / checking some file on N servers, and these people seem to think that cannot be done in a shell script because the password needs to be entered interactively.
Then there's ssh port forwarding, X11 forwarding, etc... but its amazing how many people use ssh for years without so much as glancing at the man page.
I am often quite baffled by people using only the device.
The whole point of all this is "something you have, something you know".
Yet lots just have passwordless keys for ssh with their yubikey. Completely unsecure, unsafe in examples you cite, and more.
When using ssh keys for login, you should enforce remote/server password requirements and an ssh key. This is trivial to do in sshd_config, and important.
Never trust end users to have passwords on their ssh keys. Always enforce it server side.
If you want password auth, you already have to change a default setting in SSHD and restart it. How exactly is removing that as a option ‘less complex’ for the downstream distros?
You realize that's literally just to fetch SSH keys, right? It's the authentication method so they don't have to provide a default password. It's not some sort of phone-home method.
And I hope nobody is using key based authentication for SSH without storing the private part of their SSH key on an external smart card only, which is unlocked by an external hardware pin pad.
I was being pedantic of course. Password based SSH authentication is fine for 99% of the cases, as long as they use a "secure" password and don't leak it by writing it down or reusing it elsewhere.
Passwordless root SSH is perfectly fine, which is why it is enabled by default. By people who have thought a little longer and harder about all this than you. (Sorry for the tone. Maladvice like yours on public forums is demonstrably harmful.)
Being the enlightened hacker that I am, I use SSH keys for all of my ssh'ing, and I know a fair number of sysadmins that require ssh keys, so I kind of thought it was more or less default nowadays. I guess I was wrong, so what is the reasoning behind allowing password access to your servers? I guess if you have a fair number of non-technical users, keys might be too hard to deal with? But scripts can make the process fairly painless. I'd be interested to hear from someone who does manage more than a couple machines.
The fact passwords are on by default for sshd on most distributions is crazy.
reply