|| ||Davi Diaz <davi-AT-leals.com> |
|| ||openssh-unix-dev-AT-mindrot.org |
|| ||OpenSSH daemon security bug? |
|| ||Tue, 5 Jan 2010 15:01:11 +0000|
|| ||Article, Thread
A co-worker argues we can login using only password to a "ssh-key restricted
host (PasswordAuthentication no)", without being asked by any passphase; just
by putting a key (no need to be the private key) on another password-based
It that true? I do not think so. I would name that as an "important OpenSSH
daemon security bug". That is because I think it is not true.
> You cannot distinguish passphrased keys from passphraseless ones.
I think the OpenSSH daemon will take care to ask for a key passphrase before
using a key to open an encrypted channel.
A ssh key which requires a ssh passphrase to be usable can not be used to open
a ssh connection if such ssh passphrase is not provided, as it is part of the
I know we can create ssh keys without passphrases (useful for unattended
backups, scripts and so on). However our users will be told not to do that,
of course, as they are told not to create weak passwords.
> I am all for encouraging key-based logins, but I think disabling
> password logins completely actually reduces security.
Of course I disagree because I think such "OpenSSH daemon security bug" is not
a true story. It is a false one.
What do you think?
to post comments)