SSH and clear text passwords
 

Part of sshd_config reads:
So are passwords really sent in clear text by default?
Or does this apply only in certain tunneling situations?

Those two lines are commented out, so they do not apply.

Right, but the default is PasswordAuthentication yes

So the question remains...

IIRC, the password is sent as clear text through the SSH tunnel, which is an encrypted connection using the host keys, which is what SSL does as well, I believe.

http://www.linuxquestions.org/questi...r-text-475260/
http://www.mail-archive.com/debian-s.../msg23024.html

But wouldn't that be against the whole purpose of SSH? It says tunneled cleartext, so it's still protected by SSH's encryption.

Yes, that was my concern specifically.
So user/passwords are sent encrypted then?

Passwords are sent in the clear across the encrypted "tunnel" just like chess says. You type your password and those characters are transferred to the remote machine. An outsider will not be able to intercept your password unless he is able to break the encryption, which is highly unlikely.

The purpose of the configuration parameter "PasswordAuthentication" is that you can set it to "No" to enforce the use of private/public key pairs as the only means of authentication instead of passwords.

Eric

Thanks,

The wording just seems really odd to me. Not trying to be fastidious, but just want to understand better.

Do we have 2 hypothetical situations then?

1. we encrypt something, then send the packet(s) out. We say it's encrypted.
2. we send the packets out as is (in clear text) but across an encrypted tunnel.

So if understand correctly, the wording in the ssgd_config file refers to situation 2.

Yes. The first situation is what happens when you send a GPG-encrypted email. The email is sent out across the interweb in clear text, but it just so happens that clear text is encrypted and wouldn't make sense to anyone with the appropriate GPG keys. The second situation is what SSH does, which is also how you can tunnel and connect to services over SSH that use clear text passwords, like POP3 and SMTP.

If I had to take a WAG, in this context the hypothetical situations are more like:

1. We send some other authentication method -- perhaps a hashed/digest password, perhaps a key challenge, etc. -- across an encrypted tunnel; or
2. We send a password verbatim across an encrypted tunnel.

(#2 still applies to your question.)

Thanks, that clears it up!

I know it's a revive, but I am curios about this case also:
If I use "PasswordAuthentication no" and "ChallengeResponseAuthentication yes", and instead of creating a key I enter my password, how will the password be transferred? Still clear text via encryption tunnel?

PasswordAuthentication is "clear text" in the sense that ChallengeResponseAuthentication is NOT "clear text". Anyone that is looking at what is sent inside the tunnel would see a clear text password in the first choice and not in the second choice. BUT ... getting into the tunnel is HARD to do for other than those who operate at the tunnel ends (strace the ssh process for example). It is all encrypted by SSH's tunnel over the net. The only way they'd know clear text passwords is going on is timing the keystrokes (challenge response will be much faster while password authentication is a few keystrokes depending on password size). I recommend using keys which are passphrase protected.