How to set the preferred authentication method for SSH

Controlling the order of SSH authentication methods improves login speed and enforces consistent security policies. Prioritizing publickey over password, for example, reduces exposure to brute-force attacks and keeps automated access predictable.

The PreferredAuthentications option in the OpenSSH client defines which methods are attempted and in what sequence. Values are usually configured in /etc/ssh/ssh_config for system-wide defaults or in ~/.ssh/config for per-user overrides, and can also be specified on the command line with ssh -o options. Verbose output from ssh reveals which methods are offered by the server and which one the client selects.

Choosing an inappropriate order or disabling supported methods can prevent successful logins. Restricting authentication to publickey only, for example, blocks access from users without keys even if password authentication remains enabled on the server. Configuration changes should always be tested with verbose logging while a fallback access path remains available.

1. Open a terminal on the client system.
2. Display the effective PreferredAuthentications value for a specific host.

   $ ssh -G 192.168.111.2 | grep -i preferredauthentications
   preferredauthentications gssapi-with-mic,hostbased,publickey,keyboard-interactive,password

   The ssh -G option prints the fully expanded configuration that applies to a host after processing all ssh_config files and matching Host blocks.

3. Read the ssh_config manual section describing PreferredAuthentications.

   $ man ssh_config
   ##### snipped #####
   PreferredAuthentications
   
        Specifies the order in which the client should try authentication methods. This allows a client to prefer
        one method (e.g. keyboard-interactive) over another method (e.g. password).  The default is:
   
          gssapi-with-mic,hostbased,publickey,keyboard-interactive,password
   ##### snipped #####

4. Test a one-off connection with an explicit PreferredAuthentications list.

   $ ssh -o PreferredAuthentications=publickey 192.168.111.2
   user@192.168.111.2: Permission denied (publickey,password).

   

   Specifying only methods that the server does not accept, or omitting password where no key exists, prevents login until the option or configuration is corrected.

5. Open the per-user SSH client configuration file in a text editor.

   $ vi ~/.ssh/config

   Use /etc/ssh/ssh_config for system-wide defaults when elevated privileges are available; user configuration in ~/.ssh/config always overrides matching settings from the global file.

6. Add or update a Host block with the desired PreferredAuthentications order and save the file.

   Host *
       PreferredAuthentications publickey,password

   The example restricts the client to attempt only publickey first and password as a fallback for all hosts; define more specific Host patterns above this block for per-host preferences.

7. Connect to the host with verbose logging to confirm the new authentication order.

   $ ssh -vv 192.168.111.2
   ##### snipped #####
   debug1: Authentications that can continue: publickey,password
   debug3: start over, passed a different list publickey,password
   debug3: preferred publickey
   debug3: authmethod_lookup publickey
   debug3: remaining preferred: 
   debug3: authmethod_is_enabled publickey
   debug1: Next authentication method: publickey
   ##### snipped #####

   

   Verbose output confirms that ssh now prefers publickey and only falls back to password if key-based authentication fails or no usable key is present.

8. Confirm that the reported methods in verbose output match the configured PreferredAuthentications list and adjust the configuration if the sequence differs from the intended policy.