OpenSSH daemon security bug?

Davi Diaz davi at leals.com
Wed Jan 6 02:01:11 EST 2010


A co-worker argues we can login using only password to a "ssh-key restricted
host (PasswordAuthentication no)", without being asked by any passphase; just 
by putting a key (no need to be the private key) on another password-based 
host.

It that true? I do not think so.  I would name that as an "important OpenSSH 
daemon security bug". That is because I think it is not true.


co-worker wrote:
> You cannot distinguish passphrased keys from passphraseless ones.

I think the OpenSSH daemon will take care to ask for a key passphrase before 
using a key to open an encrypted channel.

A ssh key which requires a ssh passphrase to be usable can not be used to open 
a ssh connection if such ssh passphrase is not provided, as it is part of the 
encryption algorithm.

I know we can create ssh keys without passphrases (useful for unattended 
backups, scripts and so on).  However our users will be told not to do that, 
of course, as they are told not to create weak passwords.


co-worker wrote:
> I am all for encouraging key-based logins, but I think disabling
> password logins completely actually reduces security.

Of course I disagree because I think such "OpenSSH daemon security bug" is not 
a true story.  It is a false one.

What do you think?


More information about the openssh-unix-dev mailing list