On Fri, 2005-07-08 at 23:29 +0200, Alexander Dalloz wrote: [snip] > The > passphrase protects the pubkey, so that if someone gets the public key > into his hands he can not simply use it without knowing the nifty > sentence. > [snip] AFAIK the passphrase protects the private key. The client doesn't authenticate using the public key. The server sends a nonce or some other value encrypted with the client's public key which the client then decrypts with the corresponding private key and sends the server back a hash of this nonce/challenge. It's possession of the private key that enables authentication to succeed. Possession of a user's public key will not enable anyone to authenticate as that user. Todd
