Using explicit SSH authentication methods#

For many Secure Shell (SSH) is a magic sauce to get access to a server and transfer files between servers. But when things go wrong this magic sauce becomes a problem. Let’s start with one example of when things go wrong and how to debug them. First, we start add to option -v to our command to connect to another server to get some basic debug information about the SSH handshake and get to the point the user has to authenticate.

$ ssh -v [email protected]t.example.org
...
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: password
[email protected]'s password:

Just before the SSH client prompts for the user’s password two interesting debug lines are shown. The first line is about the authentication methods we can use and the next line shows our client selected method password as we don’t have any methods configured in our SSH client like public key. So we manually disable publickey authentication and set the preferred authentication methods to keyboard-interactive.

$ ssh -v -o PreferredAuthentications=keyboard-interactive -o PubkeyAuthentication=no [email protected]
...
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

We now get permission denied as our client doesn’t have a matching set of authentication methods. Over a decade ago some commercial SSH servers would require keyboard-interactive as an authentication method as the client must then ask the user to type in the password instead of getting it from a password file as was allowed with the password authentication method. A lot of SSH clients start to ignore this convention, but some enterprise environments still depend on this convention. If we add a password to the list of preferred authentication methods we see the password prompt is offered again.

$ ssh -o PreferredAuthentications=keyboard-interactive,password -o PubkeyAuthentication=no [email protected]
[email protected]'s password:

This method can also be used to temporarily disable public-key authentication without changing any SSH configuration to test if the account is still working correctly or the password of the target account is still working.