Unexpected behavior with "-o PreferredAuthentications=password"

Morgan, Iain (ARC-TN)[InuTeq, LLC] iain.morgan at nasa.gov
Wed Jul 21 07:39:03 AEST 2021


By setting PreferredAuthentications to just "password," you are disabling *all* other methods, such as KbdInteractive. Whereas, by setting Pubkeyauthentication=no, you are just disabling public-key authentication.


On 7/20/21, 14:14, "openssh-unix-dev on behalf of Jürgen Botz" <openssh-unix-dev-bounces+iain.morgan=nasa.gov at mindrot.org on behalf of jurgen at botz.org> wrote:

    I currently have a lot of keys in my .ssh and this is sometimes a
    problem when logging into a system where I have to use a password
    because the total allowed authentication attempts are exceeded
    before it gets to the password. So I had been using
    "-o PreferredAuthentications=password" in those cases.  But I just
    found that there's a gotcha with this... on a specific host that had
    a pam configuration to use a 2nd factor (google-authenticator) I
    kept getting "Permission denied; please try again." after the
    password prompt and never getting to the prompt for the authenticator
    code.  From a different client where I didn't need to use the
    PreferredAuthentications option it worked fine.  Eventually I noticed
    two things...

    1) The password prompt was different; when I used
    PreferredAuthentications it looked like "user at host password:", but
    when I didn't use that option it just says "Password:" (note the capital

    2) Using "-o PubkeyAuthentication=no" instead of
    PreferredAuthentications resolved my problem.

    It would seem that depending on those options the interaction between
    sshd and PAM is different.  Is this is a bug, or am I missing something
    about the semantics of 'PreferredAuthentications=password'?

    - Jürgen

More information about the openssh-unix-dev mailing list