The passphrase is stored on the client. It's the client who asks for it.
For your second question:
"9.4.4 Public Key Authentication
The use of public key authentication assumes that the client host has not been compromised. It also assumes that the private key of the server host has not been compromised.
This risk can be mitigated by the use of passphrases on private keys; however, this is not an enforceable policy. The use of smartcards, or other technology to make passphrases an enforceable policy is suggested.
The server could require both password and public key authentication; however, this requires the client to expose its password to the server (see the section on Password Authentication below.)"
If you want more information on the protocol itself, you should refer to:
For your second question:
"9.4.4 Public Key Authentication
The use of public key authentication assumes that the client host has not been compromised. It also assumes that the private key of the server host has not been compromised.
This risk can be mitigated by the use of passphrases on private keys; however, this is not an enforceable policy. The use of smartcards, or other technology to make passphrases an enforceable policy is suggested.
The server could require both password and public key authentication; however, this requires the client to expose its password to the server (see the section on Password Authentication below.)"
If you want more information on the protocol itself, you should refer to:
http://tools.ietf.org/html/rfc4251
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/infocus/1810/841#841