Does ssh send the password over the network?

Published on Author Code Father
Does ssh send the password over the network?

Yes. The password is sent over the encrypted connection, but it’s in plaintext to the remote server.

The usual way to authenticate is for the server to calculate a hash of the password and to compare it to a value saved on the server. There are several ways of saving hashes, and with current implementations, the client doesn’t know what the server uses. (see e.g. the crypt man page). (Even if it did, simply sending a hash of the password would make the hash equivalent to the password anyway.)

Also, if the server uses PAM, the PAM modules might implement authentication with just about any method, some of which may require the password in plaintext.

Authentication using public keys doesn’t send the key to the remote host, however. (Some explanation and links about this in a question on security.SE)

There are also password-based authentication algorithms like SRP, that don’t require sending the password in plain text to the other end. Though SRP appears to be only implemented for OpenSSH as an external patch.

Comments

comments