@sun @forgejo @Gusted you're misunderstanding; with this change to Forgejo if an attacker targets a developer and is successful in intercepting their password and scoop up their SSH key from their $HOME you can defeat the TOTP on their account by using the SSH key you just stole

So the TOTP is now functionally useless when you're the target of an attack because the average developer is too stupid to password protect it and in 2024 you're not forced to password protect your keys

OpenSSH should not come with the capability to remove the passphrase from an SSH key. Sure, it's technically possible for anyone to write a tool that can do it, but it should refuse to support it. We can't just hope people will make better decisions, we need to force them in the right direction even if it's painful.

And then they can learn how to use their tools properly, like using ssh-agent so the key stays unlocked in memory during their session...