It’s incredibly important to enable security by default, and I’m pleased to see this change. It strikes me that most of the opposition to this issue is around the inconvenience of enabling SSH explicitly. There’s certainly work that could be done to improve the user experience of that, but that doesn’t mean it’s acceptable to ship something that’s knowingly insecure.
The risk of exposing SSH with a default password is quite significant. The obvious example is where an instance is exposed to the internet, but even on a private network if an attacker gains access to the network it becomes an easily hackable target. It’s not reasonable to place the responsibility for security on other parties and say “if the network’s compromised then that’s your fault”, or “if a user doesn’t disable SSH or change the password even though they’ve been told it’s on them”.
There are plenty of horror stories about IoT devices being recruited into botnets and used as staging platforms for further attacks. Most of the time, the owner of the device isn’t even aware that the device has been compromised.
We have to assume that a portion of users are not experts, and don’t necessarily understand how to use SSH. An even larger portion of users don’t understand the importance of securing that connection. Therefore it’s not safe to assume all users will disable SSH (or set a secure password/keypair). The concept of security by default is really important here, and it’s good to see the move towards that.
AFAIK there’s no suggestion that SSH will be disabled for existing instances, so there’s no breaking change for users upgrading existing installations (which I agree could be problematic).
Other potential attack vectors have been raised, and they should be addressed separately, but the lack of security in another area doesn’t invalidate the concept of security overall.
I’m not convinced this is an issue that should be up for negotiation. It’s fundamentally wrong to advocate shipping something that’s easily compromised, and a commercial company would be hauled over the coals if they shipped SSH enabled with a default password. It really is part of the fundamentals of security.