The RFC 4252 says the following:

Authentication methods are identified by their name, as defined in [SSH-ARCH]. The “none” method is reserved, and MUST NOT be listed as supported. However, it MAY be sent by the client. The server MUST always reject this request, unless the client is to be granted access without any authentication, in which case, the server MUST accept this request. The main purpose of sending this request is to get the list of supported methods from the server.

The RFC is clear. If somebody wants to allow login for without authentication they should be able to. Looking at the code and the docs of thrussh this looks like it can be done by implementing it in thrussh::server::Handler::auth_none trait method by returning true. But this doesn’t work. Currently thrussh server doesn’t ever call Handler::auth_none.

I understand that this is rare and mostly shouldn’t be used but it is quite useful when you are writing your first ssh server using thrussh, and you just want to try out this library.

Because this is dangerous in encrypted.rs where the auth methods of the handler are called if the codepath reaches the auth_none call and that function returns true, thrussh probably should issue some kind of warning like “user authenticated using none authentication, this is dangerous on the public internet, be carefull”, or something like this.