@minty >permission
Not my choice, corporate's. The IT company we "outsource" our security to has some sort of insurance agreement. If their solutions are bad and cause harm, they'll insure the losses. Their mentality is that it's a "full time job" to run security yet the firm is literally running like every tech company in the area's security and constantly breaking stuff in my servers
>he knew how to edit ssh config
Maybe, I don't know much about windows servers (which the firm claims to be experts at) so maybe he knew from that? Or Windows server has some other way to secure stuff like ssh connections without keys? I know there's some 2fa you can set up with your phone. But I honestly think he just googled it since he knew I was able to disable it when I had him get his key sorted out

And I was the one who put his public key into authorized_keys for him. And proceeded to give him the exact command and instructions (rename it to id_rsa and all that) to ssh in using the key. Maybe he wanted to access it from a machine and didn't want to move his key over? Maybe he messed something up and thought the ssh key login was busted, so he added password auth back during his last walkthrough? I really don't know. I have to call him tomorrow anyway for the loss report