On Sun, 23 Jul 2000, Markus Friedl wrote:
> On Fri, Jul 21, 2000 at 01:16:39PM -0700, Keith A. Iverson wrote:
> > With OpenSSH 2.1.1 in V2 mode, is there a way to force both
> > passphrase and normal password authentication requirements? I.e.,
> > person logs in and MUST give passphrase and then MUST give normal
> > password before they are allowed the login; one or the other alone
> > would not be sufficient.
>
> 1. a ssh server cannot force the client to use passphrases for
> private keys. never.
>
> 2. no, there is not way in openssh to require both Pubkey and passwd
> authentication, but you can send patches to me.
>
> -markus
I have wondered the same thing. What is the point of having/using a
passphrase if it can be ignored and simply use the password instead.
I'm new to SSH2 using latest OpenSSH and found that if I type the
wrong passphrase, I get the password prompt. So what is stopping
someone else who may have compromised (stolen) my password from
one of my non-secure accounts (where I use telnet) to simply bypass
the passphrase and use the password to get in ?
Conceptionally I woud have expected SSH2 protocol to require passphrase
only or *both* with the password. This means that even if someone gets
your password, they can't get in to your secure accounts (where I use ssh).
Without this basic concept in place, the whole SSH protocol is nothing
more than an encrypted telnet session. The other problem with this is
someone getting access to one machine and because of .rhosts or
.shosts being setup, they can gain access to the others.
At work I use secureID *and* a password, one is useless without the other.
IMHO, this is what SSH2 should be as well... passphrase AND password.
Thanks... Dan.
