[vox-tech] sshd_config and PasswordAuthentication

Henry House hajhouse at houseag.com
Thu Jul 7 07:43:52 PDT 2005


På 2005-07-07, skrev Jay Strauss:
> Hi,
> 
> I have a sveasoft box, and in order to ssh from the sveasoft to a target 
> box, the target box must have PasswordAuthentication yes in the 
> /etc/ssh/sshd_config file.
> 
> I don't understand what that config option actually does.  The config 
> file has:
> 
> # To disable tunneled clear text passwords, change to no here!
> 
> Does this mean you can send clear text passwords to login?
> Does this mean that when you build a tunnel, passwords are sent clear 
> text to the forwarded app?

No, SSH never passes password across the net in cleartext. They are sent to
the remote host when using this option, which means that unless you have a
different password for each host, a malicious remote administrator could
capture your password and then use if to compromise your other accounts.

With PasswordAuthentication set to no, SSH-key authentication must be used
instead of a password. This method uses public/private key pairs created by
ssh-keygen(1) to authenticate. This is generally considered more secure than
tunneled-password authencation for reasons than someone else can explaim
better than I can.

I use SSH-key authentication and have disables tunneled-password
authentication for all me Internet-accessible hosts.

-- 
Henry House
+1 530 753 3361 ext. 13
Please don't send me HTML mail! My mail system usually rejects it.
The unintelligible text that may follow is a digital signature.
See <http://hajhouse.org/pgp> to find out how to use it.
My OpenPGP key: <http://hajhouse.org/hajhouse.asc>.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://ns1.livepenguin.com/pipermail/vox-tech/attachments/20050707/7e88832c/attachment.bin


More information about the vox-tech mailing list