Hi Bruno, Sorry, I forgot that point. Yes, PAM overrides the other settings. That is described somewhere in the sshd_config comments. You are absolutely right. Only an user logging in from a machine where the private key is loaded can login. The machine you log into does not need to have a copy of the private key saved, only of the public key (for instance, the file id_dsa.pub). You only need a copy of the private key if you want to use a given machine as client, not as server. The challenge response authentication works in the following way: the server uses the public key to encrypt a random bit which it sends to you. If you posess the private key you are able to decrypt it and return the correct answer to the server. After the server has done this a sufficiently large number of times, it assumes that you are who you say you are, not based on what you know (a password) but on what you have (a token, i.e. a copy of the private key). The passphrase is never sent, encrypted or otherwise, it merely protects your private key on the client side. If you wish to use automatic logins with ssh, you can create a private key with an empty passphrase, but them you have to be very carefull with it. This is essentially the Diffie-Hellmann mechanism of challenge-response, if I am not mistaken, and it is a very, very clever concept. Note that you may forward the ssh-agent, which allows you to login in from your client to a server which has a copy of your public key, but not of your private key and from there to another server which also holds a copy of your public key. Also note that you may specify, when invoking the ssh command, on which file it should look for a copy of the private key (the default is ~/.ssh/id_dsa or ~/.ssh/id_rsa). That way, you may carry your private key on a diskette or USB-stick (which you may encrypt with say, pgp, if you are really paranoid :-) ). Best, Jaime. P.S. I do apologise for the verbose and slightly off topic answer :-) ...