comparing SSH key and passphrase auth vs. an SSH key *with* a passphrase ...

Matthew Seaman matthew at
Wed Sep 17 06:26:00 UTC 2014

On 15/09/2014 20:09, John Case wrote:
>> Key based auth is definitely the better choice out of those two.

> However, just out of curiousity - let's pretend that sshd *did* allow
> you to use both an SSH key and a UNIX password at the same time ...
> would that be more or less secure than using an SSH key with a built-in
> passphrase ?

That's just like sprinkling sugar on top of honey: it doesn't really
achieve anything.  You've got maybe 2048 bits of SSH key and you want to
add of the order of a hundred bits of password on top of that?  It would
be better to just use a bigger SSH key.

If you are so concerned about security and you need something more than
what ssh-key based auth can provide, then look into one-time password
style things -- which includes all sorts of hardware tokens -- or
kerberos / gssapi setups -- which use cryptographic methods vaguely
similar to SSH keys, but store the sensitive keying material in a way
that makes it much less likely to be compromised.



Dr Matthew J Seaman MA, D.Phil.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 971 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the freebsd-questions mailing list