If you are going to put backdoors (I can't believe I am even saying this) on your product then it might be good to at least disable normal password logins and only do SSH key exchange.
That said why the hell are there UNDOCUMENTED backdoors? I mean it makes sense from a customer support perspective but really?
If you've got SSHd running on an unexpected port, you could put in a banner: "Barracuda field service access".
If you've got accounts on the system, they can have GECOS fields saying the same.
And put it in the manual. "Disabling the fieldservice account will prevent service personnel from logging in. Customers with active support contracts should not do so."
Reminds me of a situation I encountered at a prior gig. We were getting random log-ins to an administrative account from a user we didn't recognize. I sent email around the group asking if anyone knew what was up. Nope.
Started tracing IPs. Turned out it was coming from a gateway used by our corporate parent (very large organization). Further tracing localized it to our office.
Turned out my seatmate (who I'd included on the initial email and who had heard me muttering over this for 2 days) was the guy who had some random bozo named account that he was using for test purposes ... but had neglected to tell anyone about.
Sort of pissed me off.
One reason for documenting these backdoors is so that, if you're OK with their legitimate use, you can properly audit and account for their legitimate use. That said: given shared keys and common access, I'd be inclined to consider the device unsecurable.
I briefly worked for Barracuda support a few years ago. I don't know how they market or publicly document the boxes, but it seemed common knowledge that we had ssh access. None of the customers I talked to blinked an eye. Most of them outright expected it. So I'm not sure it's so much "backdoor" as "feature".
That said why the hell are there UNDOCUMENTED backdoors? I mean it makes sense from a customer support perspective but really?