How to disable the try again password in ssh command

ssh password scp

9,501

In the sshd config man page man 5 sshd_config:

 MaxAuthTries
     Specifies the maximum number of authentication attempts permitted
     per connection.  Once the number of failures reaches half this
     value, additional failures are logged.  The default is 6.

So a setting of MaxAuthTries 2 will be the setting you will need. sshd will need to be restarted afterwards (has to be ran as root):

/etc/init.d/ssh restart

service ssh restart

On the client side this can set with ssh settings (look at man 5 ssh_config for the settings you can apply):

 NumberOfPasswordPrompts
         Specifies the number of password prompts before giving up.  The
         argument to this keyword must be an integer.  The default is 3.

So edit your ~/.ssh/config file and add:

 Host <name_or_ip_of_host|*>
     NumberOfPasswordPrompts 1

Where <name_or_ip_of_host|*> the canonical IP or hostname you are using on the command line, or * for all host connection attempts. You can also specify this on the command line without having to edit your /.ssh/config file:

  ssh -o NumberOfPasswordPrompts=1 user@hostname

9,501

Nir

Updated on September 18, 2022

Comments

Nir almost 2 years
I want the ssh command to only allow one chance in typing the password, if the password was wrong at the first time the ssh will return
```
Permission denied (publickey......).
```
Is there a flag that tells the ssh to request only once the password?

Instead of:
```
[nir@dhcppc4 ~]$ ssh [email protected]
[email protected]'s password: 
Permission denied, please try again.
[email protected]'s password: 
Permission denied, please try again.
[email protected]'s password: 
Permission denied (publickey.....).
```
I want:
```
[nir@dhcppc4 ~]$ ssh [email protected]
[email protected]'s password: 
Permission denied (publickey.....).
```
The solution must be on the client side (e.g. some flag to the ssh command or using pipeline), I can't touch sshd_config, or any other system config file. Because -in general- I build 3rd party software (so I can't generate keys nor config system files) that access the servers in the LAN, the passwords are saved in the DB (therefore doesn't need second attempt). And in my code if I'll be able to assume that I only have one attempt to ssh/scp it will simplify the relevant code.
- Admin almost 11 years
  
  As the answers show, you can modify this, but why do you want to? People make typing mistakse frequently, and the defaults are set to allow for such frailties. A better question might be "how do I lock out a user that has failed n login attempts?" particularly if you are looking to protect against malicious logins.
- Admin almost 11 years
  
  My reason is complex and long. What I can say is that if the password was incorrect at the first time - it will continue to be incorrect the following times.
- Admin almost 11 years
  
  You want to do the most fundamental system administration function (authentication) but can't touch system configuration files? You're out of luck. If you care to explain your long and complex reason, perhaps we might be able to see the X instead of the Y that you've presented in your XY Problem
- Admin almost 11 years
  
  I re-edit the question. I dont think the reason matters..
- Admin almost 11 years
  
  The only way I can see this even being an issue is if you're doing password auth non-interactively, in which case whatever utility you're using to do that should either have the facility to abort after one failed password or, if not, then that utility should be the subject of this question.
Nir almost 11 years

Please see question edit. I wanted some flag/pipeline use and not changes in sshd_config
Drav Sloan almost 11 years

I've editing my answer giving the client side options.