Hi folks, I've recently started to work on a patch for openssh that introduces a new option to disable authentication. I'd like to explain why I think this might be generally useful, and solicit opinions on whether such a patch would be acceptable to the maintainers as a pull request. *Why is this useful?* Openssh has useful capabilities such as remote and local port-forwarding, as well as better terminal management compared to older tools like telnet that support anonymous login. With this option, we can use openssh in scenarios where authentication is not required. *Specific use cases:* 1. Combine sshd on an unprivileged port with kubectl port-forward to replace kubectl exec for shelling into containers running in a secure Kubernetes environment. Kubectl exec does not kill processes on disconnect, and does not support remote port forwarding, while ssh does both of these things. 2. Run an unauthenticated ssh server on a port that is accessible only inside a cluster without the risk of someone accidentally exposing a no-password account on an ssh running on port 22. *Why is this useful when openssh already has **PermitEmptyPassword*? PermitEmptyPasswords is a reasonable option for many uses, but it requires that the user actually has an empty password, which is not desirable if we also want a user to be accessible externally without the risk of a misconfigured ssh server on port 22. This additional option allows a user to be accessible without a password in environments where authorization is granted by other means, even if they otherwise have a password. *Is this a patch that you would be willing to entertain?* Thanks, ~Henry _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
