The default configuration of sshd as is is shipped allows challenge-response authentication. This is unsafe for any computer with a direct connection to the internet. A safer default is to set "ChallengeResponseAuthentication" to "no" since the odds of an attacker brute-forcing a public key are much lower than the odds of brute-forcing a password. I get several of these attacks per day from various locations: Aug 15 08:42:58 [sshd] Invalid user mariusz from 67.19.131.244 - Last output repeated 12 times - Aug 15 08:43:04 [sshd] Invalid user barbara from 67.19.131.244 - Last output repeated 12 times - Aug 15 08:43:10 [sshd] Invalid user szpunar from 67.19.131.244 - Last output repeated 12 times - Aug 15 08:43:15 [sshd] Invalid user andrzej from 67.19.131.244 - Last output repeated 12 times - Aug 15 08:43:21 [sshd] Invalid user szef from 67.19.131.244 - Last output repeated 12 times - and so on
That's what stuff like fail2ban is for. Changing the default would screw tons of people (and you can always do it yourself if it fits your situation). Re-assigning to maintainer.
and I think this could be closed as invalid since it has been the default behaviour of all main distros for ages. If your box is so vulnerable, subscribe to security-basics@securityfocus.com (or so). This is often discussed, and, each time, redundant. Personnally i'm now using fail2ban.
sorry, but not a chance will this change be made
