A recent discussion in ubuntu-devel-discuss turned to the question of whether password authentication should be enabled in the default configuration. The case against doing so is that brute-forcing SSH passwords is becoming a common way of attacking a system. This is backed up with actual evidence, available at: http://monitor.sclab.clarkson.edu/thesis.doc
Would you consider disabling password authentication in the default configuration, and if not, to what degree can we rely on OpenSSH not to disable passwords in the foreseeable future, when developing solutions based on SSH?
The thread in question is visible online at https://lists.ubuntu.com/archives/ubuntu-devel-discuss/2008-May/004078.html - discussions about passwords crop up in several of the later posts.