Well the question is, how to tell if you've been hacked. Waiting until you've obviously been hacked, and your website goes up in smoke, and then removing the .ssh directory in case that's where the hacker was hiding ... that would be leaving it too late, surely.
I began this thread mainly out of startlement at not being asked for my existing password when I created a passwordless login. In well designed systems, like gmail, it asks you for your password when you try to change the security settings, even though you're already logged in. Presumably this is so that an intruder with non-standard access to the system can't easily change the security settings.
Shouldn't there be something like a .htaccess file in the .ssh directory, so that the directory is password-protected?
That's an interesting suggestion ... but how seriously do you mean it?
There's been much discussion of how the balance of responsibility for security divides between Dreamhost and its customers. Dreamhost is, perfectly reasonably, asking customers to bear their appropriate share of responsibility. The question is, what is appropriate.
What we have here is a gaping security hole in Linux, the operating system chosen by Dreamhost.
If anyone who clicks on a "one-click plug-in" is vulnerable to having hackers silently install password-less logins in their account, and if the only real way to detect this is for customers to create and continuously maintain git archives of their accounts ... well, what do you think?