# OpenSSH and clear text passwords Usually people use SSH as a replacement for rsh, which is of course a good thing. SSH uses encryption to transport your password to the remote server for authentication. But SSH can do more, you can use a public/private key pair and set it up in such a way (google around for howto's), that SSH will only transport a public key over the Internet. This way *no* passwords are transported, so even if someone breaks the encryption, no harm is done. Well... at least your private key is still safe (for now). # naive solution In `/etc/ssh/sshd_config` there are 2 keywords that must be configured to turn this behavior on: `PasswordAuthentication` and `UsePAM`. The *incorrect* way to configure this is to use the following config snippet: PasswordAuthentication no UsePAM no This will give you the desired result, but also has a side effect: it disables PAM. PAM is used for more than password checking, it also sets up your account and can configure other stuff. So disabling it is *not* a wise thing to do. right solution The following snippet is the correct config for `sshd_config`: PasswordAuthentication no UsePAM yes Now, we only need to configure PAM (This is under Debian/Linux). In `/etc/pam.d/ssh` it says # Standard Un*x authentication. @include common-auth This piece of code will ask for you password, which is now handled in ssh itself by means of the key-exchange. So it can be disabled, but a better way is the following. a new pam.d/ssh Create a `common-deny`, with the following content: # # /etc/pam.d/common-deny - always deny # auth required pam_deny.so And in `/etc/pam.d/ssh` change # Standard Un*x authentication. @include common-auth to # Standard Un*x authentication. # always deny @include common-deny # conclusion Now `sshd` uses a secure key exchange for authentication, it still uses PAM and PAM is configured in such a way that password authentication for `sshd` *always* fails.