34

When I login via ssh with -v I see that ssh is authenticating the following way 

debug1: Authentications that can continue: publickey,gssapi-with-mic,password,hostbased

I would like to change the order ...any idea how?

My bigger problem is that user with locked accounts, can still login via public-keys. I have found that I could add the user to a group "ssh-locked" add deny that group from sshing, but I am still wondering if there is a way to tell ssh'd: Please check password before keys...

gWaldo
  • 12,027
oz123
  • 1,338
  • 5
  • 18
  • 34

4 Answers4

47

The ssh server decides which authentication options it allows, the ssh client can be configured to decide in which order to try them.

The ssh client uses the PreferredAuthentications option in the ssh config file to determine this.

From man ssh_config (see it online here):

PreferredAuthentications
             Specifies the order in which the client should try protocol 2 authentication methods.  This allows a client to prefer
             one method (e.g. keyboard-interactive) over another method (e.g. password).  The default is:

                   gssapi-with-mic,hostbased,publickey,
                   keyboard-interactive,password

I don't believe it's possible, without playing with the source, to tell the OpenSSH server to prefer a certain order - if you think about it, it doesn't quite make sense anyway.

Gabriel Staples
  • 285
EightBitTony
  • 9,441
  • 1
  • 37
  • 47
20

Adding this:

PreferredAuthentications keyboard-interactive,password,publickey,hostbased,gssapi-with-mic

...to my /etc/ssh/ssh_config helped me to solve this, and saved a lot of time too!

You can check if it works by using ssh -v user@host command to connect, where -v stands for "verbose".

Greg Dubicki
  • 1,415
  • 1
  • 20
  • 34
Pavel Anni
  • 381
4

Adding to the other two answers already mentioning the PreferredAuthentications option, I'd like to add you don't need to edit any file to set this setting if you don't want. Rather, you can just set it at the command-line for an individual call to ssh, with the -o option, as follows:

ssh -o PreferredAuthentications=publickey,gssapi-with-mic,hostbased,keyboard-interactive,password user@hostname

References:

  1. To read more about the PreferredAuthentications option, see man ssh_config (see it online here). Also read about the ssh -o option in the man ssh manual pages (online here).
Gabriel Staples
  • 285
1

For a truly locked account, you can usually play with its expiration date as well. The ways to do so depend on your host's OS, e.g. on Linux it would be chage -d 0 someuser.

See also https://unix.stackexchange.com/questions/343535/what-is-the-solaris-equivalent-of-chage-d :-)

Jim Klimov
  • 121
  • 3