Jake Gold: One of the worst OpenSSH-related things I've seen is Ubuntu installs that generate a `/etc/ssh/sshd_config.d/50-cloud-init.conf` which contains: ``` PasswordAuthentication yes ``` So that a `PasswordAuthentication no` in `/etc/ssh/sshd_config` gets overridden and password auth remains enabled!

One of the worst OpenSSH-related things I've seen is Ubuntu installs that generate a `/etc/ssh/sshd_config.d/50-cloud-init.conf` which contains: ``` PasswordAuthentication yes ``` So that a `PasswordAuthentication no` in `/etc/ssh/sshd_config` gets overridden and password auth remains enabled!

Debian does this shit too this is very sad

That's atrocious. PasswordAuthentication will happily go in a `Match Host` block, so it wouldn't even have been hard to limit that to private ranges!

I've seen it enabled so that hosting companies can allow you to ssh to your instance with some default password. So they wouldn't know the IP range. But there's no good reason to do it like this anymore. They should ask the customer for a public SSH key and place it in the authorized_keys file.

oh...ewwww

What the fuck

Post