tunnelled clear text passwords in sshd

I have a question regarding this option:

# Change to no to disable tunnelled clear text passwords
PasswordAuthentication yes

If set to yes, users can login using the local password.

What exactly does the "clear text" mean in this case?

Is the connection during authentication not encrypted? Is the password issued not hashed?

My main interest is, wether someone can see the password when using ngrep or tcpdump in my WLAN for example.


Solution 1:

Password Authentication in SSH is a cleartext password communication protected by the SSH tunnel, no more, no less.

Why isn't the password hashed? For technical reasons, the password is already hashed in /etc/shadow file. So it cannot be hashed again by the protocol. (Well, you could make a hash of the hash, but that doesn't offer additional security imho).

In normal circumstances this is secure. This assumes that you connect to a trusted server and you verify server signature.

The only case this could be insecure is when you connect to a malicious server (eg: MITM attack) and you don't verify the server signature. In this case the attacker could easily sniff the password.

What is the alternative to password authentication? Public Key authentication, because in this mode the key itself is never sent.