@i0null so I have to ask, why are they using password auth instead of key auth? And if they were able to get the hashes isn't the system already compromised? I guess I didn't quite follow.

Is it because they have an external facing management portal?