[tptacek]

No, it's not analogous to TLS. TLS has trust anchors: the key exchange in a TLS handshake is secure, even on first contact with a server. The key exchange in a first-contact SSH handshake is trivially MITM'd. An attacker with control of your network (or, obviously, your machine) can simply steal your password.

[getcrunk]

I'm sorry I should have said it uses diffie hellman key exchange. And you are correct it can be mitm. I see that as its primary intrinsic weakness. (Password entropy, storage, are separate problems)

I would contrast this with the weakness of keys being that if the devs keys are compromised so are all the other servers he has access too. (I can memorize my passwords, or write them on a note card. Say what you will about that, it's out of band.)

In light of that the question as to what's best is your threat model. Poor opsec per dev or an upstream network sniffer.

Thanks for all your input all over this thread. I'm revisiting my convictions.

Would you disagree with I've said?

[tialaramex]

But you've now swapped out part of the authentication. If you want to claim that, for some threat models, "One password per server" is better than "One key" then, sure, so use "One key per server" and now keys are better again.

Also - I suspect this Caddy server doesn't support it, but OpenSSH does - you can use FIDO and then the keys physically are objects in the real world, from say Yubico or a dozen other vendors so now "losing the keys" is like losing your office keys, except that when they give you a new one they can trivially make the old one stop working.

[getcrunk]

A users keys are unlikely to be compromised singly. You would get them all. Whatever malware exfils the keys would take all that it finds.