I accidentally attempted to SSH into one of my servers from a device that did not contain my ssh key. I configure all of my servers to only allow authentication via cryptographic keys. Root ssh as well as password auth are disabled.
To my surprise, I was able to log in to my server with a password despite this. Baffled, I first tried some other servers. 2 of the 5 other servers I tried were accessabke via password.
After some swift investigation the culprit was found, a cloud-init ssh config in sshd_config.d/ with one line: password_authentication Yes.
So TLDR PSA....if you run a server in any type of virtualized environment, including a VPS, check your /etc/ssh/sshd_config.d/ folder. And more broadly, actually thoroughly test your ssh access to confirm everything is working as you intend it to.
Yeah pimeyes absolutely needs to be shut down and laws need to be in place to protect private citizens from having their information sharable and searchable without their explicit consent. "Publicly available information" is always the line people use to defend these services. I'm arguing that our modern capabilities needs to be adjusted for. Things shouldn't be so publicly accessable in the first place and personal data aggregation should be a much more vetted and potentially licensed business. Can we talk about what other purpose these facial recognition databases serve other than to stalk, expose, or extort people? If they required proof of identity and only allowed searches of your own face then I could understand the value.