Authentication Order with SSH

ssh password public-key

58,005

Solution 1

The ssh server decides which authentication options it allows, the ssh client can be configured to decide in which order to try them.

The ssh client uses the PreferredAuthentications option in the ssh config file to determine this.

From man ssh_config (see it online here):

PreferredAuthentications
             Specifies the order in which the client should try protocol 2 authentication methods.  This allows a client to prefer
             one method (e.g. keyboard-interactive) over another method (e.g. password).  The default is:

                   gssapi-with-mic,hostbased,publickey,
                   keyboard-interactive,password

I don't believe it's possible, without playing with the source, to tell the OpenSSH server to prefer a certain order - if you think about it, it doesn't quite make sense anyway.

Solution 2

Adding this:

PreferredAuthentications keyboard-interactive,password,publickey,hostbased,gssapi-with-mic

...to my /etc/ssh/ssh_config helped me to solve this, and saved a lot of time too!

You can check if it works by using ssh -v user@host command to connect, where -v stands for "verbose".

Solution 3

Adding to the other two answers already mentioning the PreferredAuthentications option, I'd like to add you don't need to edit any file to set this setting if you don't want. Rather, you can just set it at the command-line for an individual call to ssh, with the -o option, as follows:

ssh -o PreferredAuthentications=publickey,gssapi-with-mic,hostbased,keyboard-interactive,password user@hostname

References:

To read more about the PreferredAuthentications option, see man ssh_config (see it online here). Also read about the ssh -o option in the man ssh manual pages (online here).

58,005

oz123

I am a Software Engineer usually working as DevOps or Back-End developer. I feel comfortable using various Linux distributions (usually at work I have Debian\Ubuntu\Red Hat\CentOS and even {Open,}SuSE. Whenever I can, I use Gentoo and NetBSD). My tools of choice are Python and C. Take a look at my CLI framework for Python.

Updated on September 18, 2022

Comments

oz123 over 1 year
When I login via ssh with -v I see that ssh is authenticating the following way
```
debug1: Authentications that can continue: publickey,gssapi-with-mic,password,hostbased
```
I would like to change the order ...any idea how?

My bigger problem is that user with locked accounts, can still login via public-keys. I have found that I could add the user to a group "ssh-locked" add deny that group from sshing, but I am still wondering if there is a way to tell ssh'd: Please check password before keys...
- EightBitTony almost 13 years
  
  I think you're approaching this the wrong way - keys are (usually) more secure than passwords. If the account is locked, you need to tell the sshd daemon to not let the user login regardless of the authentication method.
- oz123 almost 13 years
  
  Like I said, I found a solution, via DenyGroups. I am asking it for the sake of interest.
Spencer Williams over 9 years

If you are using Git Bash for Windows, save your ssh config to ~/.ssh/config
steveayre over 5 years

The order can make sense if one method depends on a previous one. For example 2FA under keyboard-interactive might depend on the user having first provided a valid password.
Gabriel Staples over 4 years

Can you post a source for where you copy-pasted the PreferredAuthentications info above? I don't see it in man ssh, nor in /etc/ssh/ssh_config, nor in /etc/ssh/sshd_config. Where did you get this info?
Gabriel Staples over 4 years

Found it! It was in man ssh_config. I submitted an edit for review to update your answer to contain this source. Please cite sources next time! Many thanks.