Hacker Timesnew | past | comments | ask | show | jobs | submitlogin

An SSH password is sent to the server, the server will get the exact password. An SSH private key is not sent to the server.


Exactly, so even if the server is compromised you're not giving it the means to authenticate as you. I think this is a huge plus.


Maybe, but it conceptually it doesn't have to be like that. Often, the password is not sent directly, but its hash is sent (sometimes hashed multiple times), so that the same property is true.


If you send a hash, the hash itself effectively becomes the password. If the server is compromised or the hash is intercepted, the attacker has everything they need to authenticate as you.

With private/public key pairs, the same scenario would result in the attacker only obtaining your public key, which is useless without the private key.


You are correct and I was sloppy in explaining it properly.

In general however, I believe that there is no inherit advantage of certificates over passwords, except for the key-size obviously. Everything else is just convention/standards.

Please see the following page that explains better what I meant when I said that the password should be hashed: https://en.wikipedia.org/wiki/Hash_chain

Using such a mechanism (including salts / challenges) will prevent an attacker using the hash as the password.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: