The security of SSH key authentication depends on the passphrase only if you assume that the actual SSH private key file is made accessible to absolutely everyone. Obviously, it isn't a good idea to actually do that.
When using password authentication, the primary authentication factor is the password, which supposedly only the authorized user knows. But when using SSH key authentication, the primary authentication factor is the possession of the private key.
The passphrase on a SSH private key is to safeguard against the chance that the key might fall to wrong hands; if the private key is protected in some other way (e.g. stored on a secure system, an encrypted disk or under a physical lock and key), the passphrase protection might not be necessary.
It is technically possible to make a SSH client that checks the quality of the passphrase; but because the SSH protocol is standardized, the user could always choose to use another client that does not perform the check.
It is not feasible for the SSH server to verify if the client has actually checked the passphrase quality, because nothing prevents the client from giving false information to the server.
The sshd server does not participate in the SSH key passphrase verification: the client only uses the passphrase to decrypt the private key locally.
To actually authenticate, the SSH client generates a "signature" message using the private key: if the server can verify the signature using the authorized public key, the client has proven it holds the private part of the authorized key - without disclosing the private key itself.
MK
MK
