Code review comment for lp:~vorlon/debian-cd/lp.1576353

Case in point - it is expected that password auth is on; and sshd pre-installed; always on s390x - because its normal consoles are basic. Even with the proposed change here, this will stay the case.

The clouds - are all different, most do ssh-only, some do password only, and one ends up with whatever that specific cloud tells people to do usually.

lxd containers / self-downloaded cloud images - usually one has to inject/break into them, usually by means of ssh-import-id or metadata provided keys (and said metadata has toggles to enable password auth).

It almost feels like we want to bring ssh-import-id functionality to d-i, both interactive and pre-seedable. Because making key based auth by default, is awkward without allowing out-of-the-box adding ssh key.

It also feels like we want to pre-install sshd everywhere, and make it key only - and show d-i users a task called "Enable password based ssh login". And actually force a HIGH priority question asking them about enabling password based auth, with auto default No, if they did not preseed an ssh key.

I will double check, but imho subiquity should default to key only by default.

Desktop too, should default to keybased auth only. It is irresponsible to open up the system to `ubuntu:ubuntu` hacks, when one installs `ssh` instead of `openssh-client`.

On upgrades, we should obviously not change anything.

So i think it is time, to change the default in openssh package, and make it keybased auth by default. And then in d-i add ability to setup an ssh key; add an ability to enable password auth.

Because basically most of our products go out of their way to disable password auth way too many times. And indeed password auth should be something /harder/ to use than key based auth. If that is not the case, we have failed our users.