How to disable the try again password in ssh command
In the sshd config man page man 5 sshd_config
:
MaxAuthTries
Specifies the maximum number of authentication attempts permitted
per connection. Once the number of failures reaches half this
value, additional failures are logged. The default is 6.
So a setting of MaxAuthTries 2
will be the setting you will need. sshd
will need to be
restarted afterwards (has to be ran as root):
/etc/init.d/ssh restart
or
service ssh restart
On the client side this can set with ssh settings (look at man 5 ssh_config
for the settings you can apply):
NumberOfPasswordPrompts
Specifies the number of password prompts before giving up. The
argument to this keyword must be an integer. The default is 3.
So edit your ~/.ssh/config
file and add:
Host <name_or_ip_of_host|*>
NumberOfPasswordPrompts 1
Where <name_or_ip_of_host|*>
the canonical IP or hostname you are using on the command line, or *
for all host connection attempts. You can also specify this on the command line without having to edit your /.ssh/config
file:
ssh -o NumberOfPasswordPrompts=1 user@hostname
Related videos on Youtube
Nir
Updated on September 18, 2022Comments
-
Nir almost 2 years
I want the ssh command to only allow one chance in typing the password, if the password was wrong at the first time the ssh will return
Permission denied (publickey......).
Is there a flag that tells the ssh to request only once the password?
Instead of:
[nir@dhcppc4 ~]$ ssh [email protected] [email protected]'s password: Permission denied, please try again. [email protected]'s password: Permission denied, please try again. [email protected]'s password: Permission denied (publickey.....).
I want:
[nir@dhcppc4 ~]$ ssh [email protected] [email protected]'s password: Permission denied (publickey.....).
The solution must be on the client side (e.g. some flag to the ssh command or using pipeline), I can't touch
sshd_config
, or any other system config file. Because -in general- I build 3rd party software (so I can't generate keys nor config system files) that access the servers in the LAN, the passwords are saved in the DB (therefore doesn't need second attempt). And in my code if I'll be able to assume that I only have one attempt tossh
/scp
it will simplify the relevant code.-
Admin almost 11 yearsAs the answers show, you can modify this, but why do you want to? People make typing mistakse frequently, and the defaults are set to allow for such frailties. A better question might be "how do I lock out a user that has failed n login attempts?" particularly if you are looking to protect against malicious logins.
-
Admin almost 11 yearsMy reason is complex and long. What I can say is that if the password was incorrect at the first time - it will continue to be incorrect the following times.
-
Admin almost 11 yearsYou want to do the most fundamental system administration function (authentication) but can't touch system configuration files? You're out of luck. If you care to explain your long and complex reason, perhaps we might be able to see the X instead of the Y that you've presented in your XY Problem
-
Admin almost 11 yearsI re-edit the question. I dont think the reason matters..
-
Admin almost 11 yearsThe only way I can see this even being an issue is if you're doing password auth non-interactively, in which case whatever utility you're using to do that should either have the facility to abort after one failed password or, if not, then that utility should be the subject of this question.
-
-
Nir almost 11 yearsPlease see question edit. I wanted some flag/pipeline use and not changes in
sshd_config
-
Drav Sloan almost 11 yearsI've editing my answer giving the client side options.