User: Password:
Subscribe / Log in / New account

Re: OpenSSH daemon security bug?

From:  Mark Janssen <>
To:  Davi Diaz <>
Subject:  Re: OpenSSH daemon security bug?
Date:  Tue, 5 Jan 2010 16:21:34 +0100
Archive-link:  Article, Thread

On Tue, Jan 5, 2010 at 4:01 PM, Davi Diaz <> wrote:
> A co-worker argues we can login using only password to a "ssh-key restricted
> host (PasswordAuthentication no)", without being asked by any passphase; just
> by putting a key (no need to be the private key) on another password-based
> host.
> It that true? I do not think so.  I would name that as an "important OpenSSH
> daemon security bug". That is because I think it is not true.

You can only login using keys if the public key is included in the
'authorized_keys' file on the server. The ssh client will read the
private key (passphrased or not, ask for a passphrase if needed (or
read from an agent)).

The server has no way of knowing if the key had a passphrase (was
encrypted), as it never sees the private key. The private key is only
used for authentication/encryption on the client-side.

> co-worker wrote:
>> You cannot distinguish passphrased keys from passphraseless ones.
True (server never sees the key, only the result of computations on
the decrypted key)

> I think the OpenSSH daemon will take care to ask for a key passphrase before
> using a key to open an encrypted channel.
False, the client handles keys

> A ssh key which requires a ssh passphrase to be usable can not be used to open
> a ssh connection if such ssh passphrase is not provided, as it is part of the
> encryption algorithm.

> I know we can create ssh keys without passphrases (useful for unattended
> backups, scripts and so on).  However our users will be told not to do that,
> of course, as they are told not to create weak passwords.
> co-worker wrote:
>> I am all for encouraging key-based logins, but I think disabling
>> password logins completely actually reduces security.

I must agree here, while keys are better then passwords, it's
impossible to enforce passphrase quality on keys, while it is possible
to enforce some quality on passwords.

Mark Janssen  --  maniac(at)  --  pgp: 0x357D2178 |   ,''`.  |
Unix / Linux Open-Source and Internet Consultant @ |  : :' :  | |  `. `'   |
Skype: markmjanssen ICQ: 129696007 irc: FooBar on undernet |    `-    |
openssh-unix-dev mailing list

(Log in to post comments)

Copyright © 2010, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds