On Mon, Jul 15, 2002 at 08:04:37AM -0700, Gerald C. Simmons wrote:
> That worked!!  You know, I set Password Authentication to no, because the
> comment line in the file smbd.conf said that this would disable "tunneled clear
> text" passwords. I inferred that it would use encrypted passwords instead, not
> no passwords.
> 
> Do you know what they meant?

If you allow Password authentication then the password actually is sent
in plain text BUT it is through an encrypted/secure SSH tunnel so it's
not visible from outside the tunnel.  The password secrecy is maintained
in this manner.

However it makes traffic analysis easier (in some implementations), and
also you are sending a re-usable authenticator over the wire which means
that if someone were able to breach the security of the tunnel somehow,
he would be able to use that.  With Pubkey auth, nothing (afaik)
re-usable is sent, and an attacker would have to get both your key AND
the passphrase required to unlock that key -- neither of which has ever
appeared on the wire, tunneled or otherwise.