Be careful doing this without enabling your own key/certificate validation. We deployed SSH to a few dozen OS_X machines in a lab (for backend maintenance) without certificates for handshake (i.e. password-based) and next morning several machines had been compromised.
We were using complex passwords; this was when 10.6 was latest OS, so perhaps security is better now with simple password-based SSH — but I would never take such a risk again.
I find it hard to believe that your complex passwords got cracked overnight. Were your machines on the internet and do you have huge bandwidth, not behind a firewall? Inside job perhaps with access to /etc/shadow with passwords shared across machines or something? perhaps user accounts got compromised by other users? that's a phenomenal number of login attempts across the internet.
No developer should be rationally expected to do that. SSH doesn't ship with telemetry or tracking, you shouldn't have to modify the default to make the software behave the way it was intended to; this is runtime-level coercion. You either consider it a feature, or you see it as a bug.
Plus, if you know what OCSP is and care about it, chances are you don't use MacOS anymore. Nobody who conscientiously objects to OCSP tracking should be assenting to the rest of MacOS and it's perverse sense of "security".
Like there's just so much crap you have to do to make these non-free OSes pleasant or private and it's always blowing up. Linux mostly "just works" OOTB.
Be careful doing this without enabling your own key/certificate validation. We deployed SSH to a few dozen OS_X machines in a lab (for backend maintenance) without certificates for handshake (i.e. password-based) and next morning several machines had been compromised.
We were using complex passwords; this was when 10.6 was latest OS, so perhaps security is better now with simple password-based SSH — but I would never take such a risk again.
I find it hard to believe that your complex passwords got cracked overnight. Were your machines on the internet and do you have huge bandwidth, not behind a firewall? Inside job perhaps with access to /etc/shadow with passwords shared across machines or something? perhaps user accounts got compromised by other users? that's a phenomenal number of login attempts across the internet.
... except the ssh bin is also tracked with OCSP ..
Can’t you disable it though or block the connection?
No developer should be rationally expected to do that. SSH doesn't ship with telemetry or tracking, you shouldn't have to modify the default to make the software behave the way it was intended to; this is runtime-level coercion. You either consider it a feature, or you see it as a bug.
Plus, if you know what OCSP is and care about it, chances are you don't use MacOS anymore. Nobody who conscientiously objects to OCSP tracking should be assenting to the rest of MacOS and it's perverse sense of "security".
But you don't have to on Linux.
Like there's just so much crap you have to do to make these non-free OSes pleasant or private and it's always blowing up. Linux mostly "just works" OOTB.