OpenSSH: if the server is set to "PasswordAuthentication no" then is there any risk if the client is set to "PasswordAuthentication yes"?

Question

For all my servers PasswordAuthentication is set to no in the sshd_config file. This means that only key authentication is allowed.

In this situation, is there any risk if PasswordAuthentication is set to yes in the client's ssh_config?

Could you possibly explain what you mean by "risk" and whether your concern is regarding some risk on the server or on the client side of things? — Kusalananda, Mar 30 '19 at 21:51
Hi kusalananda. What I had in mind was a (theoretical or not) risk to the client. — NoExpert, Mar 30 '19 at 21:53

score 4 · Accepted Answer · answered Mar 30 '19 at 21:41

4

There's a risk, if the client connects to the wrong machine, and that machine allows password auth. Then the user may enter their password, thinking it might be a server side change... and now the password can be stolen.

Related: Is your SSH password revealed when you attempt to connect to the wrong server?

answered Mar 30 '19 at 21:41

Stephen Harris

44,540

Thanks. A theoretical but real risk. This is the correct answer. – NoExpert Apr 01 '19 at 19:55

OpenSSH: if the server is set to "PasswordAuthentication no" then is there any risk if the *client* is set to "PasswordAuthentication yes"?

1 Answers1

OpenSSH: if the server is set to "PasswordAuthentication no" then is there any risk if the client is set to "PasswordAuthentication yes"?