> With ssh you have to go pretty far out of your way to allow someone to log in without having a key or password.
Yeah. It's certainly not the default config. From what I can tell, you can either
* Activate PAM support and have a PAM module that just authorizes users, regardless of credentials.
* Enable PermitEmptyPasswords and have an account on the system that has no password.
So, I guess if you SSH to a machine that lets you log in with no password, or any username/password combo, you might want to consider that maybe your use of the machine is not necessarily authorized. :p
My hypothetical in the previous comment presumed that you presented a username/key or a username/password combo that you knew to the system and it granted you access... but I guess the situation can get a little more murky, if you're accessing a system managed by a pathologically lazy sysadmin. ;)
Eh, if you're in a position to know a legitimate account like that, you should already know whether you're authorized. In that case "it let me in so surely it was okay" is not a very strong argument.
Yeah. It's certainly not the default config. From what I can tell, you can either
* Activate PAM support and have a PAM module that just authorizes users, regardless of credentials.
* Enable PermitEmptyPasswords and have an account on the system that has no password.
So, I guess if you SSH to a machine that lets you log in with no password, or any username/password combo, you might want to consider that maybe your use of the machine is not necessarily authorized. :p
My hypothetical in the previous comment presumed that you presented a username/key or a username/password combo that you knew to the system and it granted you access... but I guess the situation can get a little more murky, if you're accessing a system managed by a pathologically lazy sysadmin. ;)