When connecting to a remote server using SSH, the client attempts several authentication methods until one succeeds. The sequence in which these methods are tried is controlled by the PreferredAuthentications option. By default, the client tries methods like gssapi-with-mic, hostbased, and publickey before falling back to password as the last resort.
PreferredAuthentications
Specifies the order in which the client should try authentication methods.
This allows a client to prefer one method (e.g. keyboard-interactive) over
another method (e.g. password). The default is:
gssapi-with-mic,hostbased,publickey,keyboard-interactive,password
debug3: receive packet: type 51 debug1: Authentications that can continue: publickey,password debug3: start over, passed a different list publickey,password debug3: preferred publickey debug3: authmethod_lookup publickey debug3: remaining preferred: debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Trying private key: /home/user/.ssh/id_rsa debug3: no such identity: /home/user/.ssh/id_rsa: No such file or directory
Modifying the PreferredAuthentications option can optimize the authentication process. For example, if you prefer using publickey over other methods, configuring this setting can save time and improve security. This customization is useful for administrators who need consistent and secure authentication methods.
The default order of authentication methods may not suit every environment. Customizing the sequence allows you to prioritize methods that align with your security policies or operational preferences. By specifying your preferred methods, you can ensure the SSH client uses them first, making the login process faster and more secure.
Steps to configure SSH preferred authentication method:
- Open your terminal application.
- Check the current PreferredAuthentications configuration of your SSH client.
$ ssh -G * | grep -i PreferredAuthentications $
Default values are used if the command returns an empty result.
- View available configuration options in the ssh_config manual.
$ man ssh_config ##### snipped PreferredAuthentications Specifies the order in which the client should try authentication methods. This allows a client to prefer one method (e.g. keyboard-interactive) over another method (e.g. password). The default is: gssapi-with-mic,hostbased,publickey, keyboard-interactive,password ##### snipped
- Manually specify your preferred authentication method when connecting to an SSH server.
$ ssh -o PreferredAuthentications=publickey 192.168.111.2 user@192.168.111.2: Permission denied (publickey,password).
Choosing an authentication method not supported by the SSH server, such as in the above example, will cause your login to fail.
- Edit the SSH client configuration file using your preferred text editor.
$ vi ~/.ssh/config
Use /etc/ssh/ssh_config to apply the option to all users in the system, though it will always be overridden if also configured in ~/.ssh/config.
- Set the preferred authentication methods in the configuration file and save it.
Host * PreferredAuthentications publickey,password
The following configuration example is to only attempt publickey and password method, in that order.
- Attempt to log in to the SSH server without specifying an authentication method.
$ ssh -v 192.168.111.2 user@192.168.111.2: Permission denied (publickey,password).
Mohd Shakir Zakaria is an experienced cloud architect with a strong development and open-source advocacy background. He boasts multiple certifications in AWS, Red Hat, VMware, ITIL, and Linux, underscoring his expertise in cloud architecture and system administration.
Comment anonymously. Login not required.