Authentication Order with SSH
Solution 1
The ssh server decides which authentication options it allows, the ssh client can be configured to decide in which order to try them.
The ssh client uses the PreferredAuthentications
option in the ssh config file to determine this.
From man ssh_config
(see it online here):
PreferredAuthentications
Specifies the order in which the client should try protocol 2 authentication methods. This allows a client to prefer
one method (e.g. keyboard-interactive) over another method (e.g. password). The default is:
gssapi-with-mic,hostbased,publickey,
keyboard-interactive,password
I don't believe it's possible, without playing with the source, to tell the OpenSSH server to prefer a certain order - if you think about it, it doesn't quite make sense anyway.
Solution 2
Adding this:
PreferredAuthentications keyboard-interactive,password,publickey,hostbased,gssapi-with-mic
...to my /etc/ssh/ssh_config
helped me to solve this, and saved a lot of time too!
You can check if it works by using ssh -v user@host
command to connect, where -v
stands for "verbose".
Solution 3
Adding to the other two answers already mentioning the PreferredAuthentications
option, I'd like to add you don't need to edit any file to set this setting if you don't want. Rather, you can just set it at the command-line for an individual call to ssh
, with the -o
option, as follows:
ssh -o PreferredAuthentications=publickey,gssapi-with-mic,hostbased,keyboard-interactive,password user@hostname
References:
- To read more about the
PreferredAuthentications
option, seeman ssh_config
(see it online here). Also read about thessh
-o
option in theman ssh
manual pages (online here).
Related videos on Youtube
oz123
I am a Software Engineer usually working as DevOps or Back-End developer. I feel comfortable using various Linux distributions (usually at work I have Debian\Ubuntu\Red Hat\CentOS and even {Open,}SuSE. Whenever I can, I use Gentoo and NetBSD). My tools of choice are Python and C. Take a look at my CLI framework for Python.
Updated on September 18, 2022Comments
-
oz123 over 1 year
When I login via ssh with
-v
I see that ssh is authenticating the following waydebug1: Authentications that can continue: publickey,gssapi-with-mic,password,hostbased
I would like to change the order ...any idea how?
My bigger problem is that user with locked accounts, can still login via public-keys. I have found that I could add the user to a group "ssh-locked" add deny that group from sshing, but I am still wondering if there is a way to tell ssh'd: Please check password before keys...
-
EightBitTony almost 13 yearsI think you're approaching this the wrong way - keys are (usually) more secure than passwords. If the account is locked, you need to tell the sshd daemon to not let the user login regardless of the authentication method.
-
oz123 almost 13 yearsLike I said, I found a solution, via DenyGroups. I am asking it for the sake of interest.
-
-
Spencer Williams over 9 yearsIf you are using Git Bash for Windows, save your ssh config to
~/.ssh/config
-
steveayre over 5 yearsThe order can make sense if one method depends on a previous one. For example 2FA under keyboard-interactive might depend on the user having first provided a valid password.
-
Gabriel Staples over 4 yearsCan you post a source for where you copy-pasted the PreferredAuthentications info above? I don't see it in
man ssh
, nor in/etc/ssh/ssh_config
, nor in/etc/ssh/sshd_config
. Where did you get this info? -
Gabriel Staples over 4 yearsFound it! It was in
man ssh_config
. I submitted an edit for review to update your answer to contain this source. Please cite sources next time! Many thanks.