Download your favorite Linux distribution at LQ ISO.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 08-18-2006, 08:59 PM   #1
Registered: Jan 2004
Location: the abyss
Posts: 205

Rep: Reputation: 30
Passwords sent in clear text?

I was under the understanding that in ssh passwords were never sent in clear text (as in ssl). This is from sshd_config:
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

Does this mean you cant have password authentication if you don't want them sent in clear text?!
Old 08-18-2006, 10:10 PM   #2
Senior Member
Registered: Nov 2002
Location: Edmonton AB, Canada
Distribution: Gentoo x86_64; Gentoo PPC; FreeBSD; OS X 10.9.4
Posts: 3,760
Blog Entries: 4

Rep: Reputation: 78
No. It means you can disable password authentication and use only key-based authentication instead. This way someone trying to connect will not even get a password prompt to try to brute-force unless they have a known key.

Edit: sorry I missed this line:
# To disable tunneled clear text passwords, change to no here!
I have no idea why that is in your sshd_config. ssh does _not_ send passwords in plain text. That is the whole point of ssh, to replace old-school programs like rsh that do...

Last edited by bulliver; 08-18-2006 at 10:12 PM.
Old 08-18-2006, 10:13 PM   #3
Registered: May 2004
Posts: 552

Rep: Reputation: 31
There's two ways to authenticate, public/private keys or passwords.
By default they are both enabled, you have the option to turn off passwords and that is what PasswordAuthentication does.
If you are authenticating with a password, its still encrypted in the tunnel, I agree the description that says "clear text" is a little misleading. In other words a packet sniffer will not see the password in clear text.
Old 08-19-2006, 02:58 AM   #4
Registered: Jan 2004
Location: the abyss
Posts: 205

Original Poster
Rep: Reputation: 30
Wow, thats much more than misleading.... If you are right, then the "clear text" statement is absolutely incorrect.
Old 08-19-2006, 10:35 AM   #5
LQ Newbie
Registered: Jul 2006
Posts: 1

Rep: Reputation: 0
They did include the word "tunneled" in describing the clear text exchange.

The idea is that your credentials are visible to the sshd as clear text (it's reading them after they come out of the tunnel). There have been multiple instances where miscreants compromise a multi-user system and replace the sshd binary with one that logs those tunneled credentials. Using PKI with SSH makes that no longer possible.

I don't think the warning is misleading, perhaps just too much information for folks not familiar with the workings of ssh.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
How to clear a std::string buff.clear()? lucky6969b Programming 3 03-17-2006 07:50 AM
phpldapadmin & clear text cookies [GOD]Anck Linux - Security 4 01-31-2005 07:41 AM
Completely uninstalling MySQL and its passwords I locked myself out! Baix Linux - Newbie 2 01-30-2005 04:10 PM
If you use secure IMAP, does your password go clear text? cryptosporidium Linux - Security 1 03-25-2004 02:11 AM
clear recent list, edit reopened text file obby Linux - General 0 09-17-2003 08:30 AM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:09 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration