On Thu, 27 Jul 2000, Gary Strahan wrote:
> Daniel Woods wrote:
> > Subject: Re: OpenSSH(2) passphrase AND password?
> >
> > I have wondered the same thing. What is the point of having/using a
> > passphrase if it can be ignored and simply use the password instead.
> > I'm new to SSH2 using latest OpenSSH and found that if I type the
> > wrong passphrase, I get the password prompt. So what is stopping
> > someone else who may have compromised (stolen) my password from
> > one of my non-secure accounts (where I use telnet) to simply bypass
> > the passphrase and use the password to get in ?
>
> Well, if you are truly concerned about security, then you should use
> different passwords for different machines/networks.
I can think of one time I'd want something like this, though what I'd want
is for the server to require publickey and password authentication. The
reason for this is that by requiring publickey authentication, I'm making
sure that only a user that has set up ssh authentication is going to get
in, so you can't use ssh to log into an account that has a weak/no
password without getting the public key first. Requiring the password
would be to make it a little more difficult to get into the server machine
if you've already cracked the client machine and/or private key (on the
off chance that I can detect the cracked client before the password is
snooped).
