Hi Chris, > > > What do you mean by "keypair authentication"? > > > > That's the authentication you use when you have ssh-keygen provide you > > with a private key and a public key, and distribute the public key to all > > the different authorized_keys files. > > But he says not to use passphrases, I'm confused. I'm not sure which "he" you mean here. A possible confusion is that there are two ways the term passphrase can be used when it comes to OpenSSH: * Passphrase authentication, where you log into a machine and the sshd on the other end challenges you to enter a passphrase, usually matching your remote account's password. * Encrypting your private key with a passphrase, which is what happens when you enter a passphrase while using ssh-keygen or ssh-add. When you enter a passphrase at the ssh-keygen or ssh-add prompt, this isn't authentication. It's encryption: the private key has been encrypted with a passphrase, and you enter the passphrase to unlock it, which needs to be done before the key can be used as part of keypair authentication. This is different to *passphrase authentication*, in which you have not distributed your public key to authorized_keys files on the remote nodes, and instead expect the remote to challenge you. To revisit some of what I touched on earlier, to make these distinctions clearer: * Never use passphrase *authentication*, instead use keypairs, always. * Do consider passphrase *encryption* of your private key, as one possible way of keeping it secure, in case of unauthorized physical access to the local storage. Does that help? ~ Tim _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev