How to set the preferred authentication method for SSH

When connecting to a remote server using SSH, the client attempts several authentication methods until one succeeds. The sequence in which these methods are tried is controlled by the PreferredAuthentications option. By default, the client tries methods like gssapi-with-mic, hostbased, and publickey before falling back to password as the last resort.

PreferredAuthentications
Specifies the order in which the client should try authentication methods. This allows a client to prefer one method (e.g. keyboard-interactive) over another method (e.g. password). The default is:

gssapi-with-mic,hostbased,publickey,keyboard-interactive,password

debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred publickey
debug3: authmethod_lookup publickey
debug3: remaining preferred: 
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/user/.ssh/id_rsa
debug3: no such identity: /home/user/.ssh/id_rsa: No such file or directory

Modifying the PreferredAuthentications option can optimize the authentication process. For example, if you prefer using publickey over other methods, configuring this setting can save time and improve security. This customization is useful for administrators who need consistent and secure authentication methods.

The default order of authentication methods may not suit every environment. Customizing the sequence allows you to prioritize methods that align with your security policies or operational preferences. By specifying your preferred methods, you can ensure the SSH client uses them first, making the login process faster and more secure.

Steps to configure SSH preferred authentication method:

Open your terminal application.
Check the current PreferredAuthentications configuration of your SSH client.
```
$ ssh -G * | grep -i PreferredAuthentications
$
```
Default values are used if the command returns an empty result.

View available configuration options in the ssh_config manual.

$ man ssh_config
##### snipped
PreferredAuthentications

Specifies the order in which the client should try authentication methods. This allows a client to prefer one method (e.g. keyboard-interactive) over another method (e.g. password). The default is:
  gssapi-with-mic,hostbased,publickey, keyboard-interactive,password
##### snipped

Manually specify your preferred authentication method when connecting to an SSH server.
```
$ ssh -o PreferredAuthentications=publickey 192.168.111.2
user@192.168.111.2: Permission denied (publickey,password).
```
Choosing an authentication method not supported by the SSH server, such as in the above example, will cause your login to fail.
Edit the SSH client configuration file using your preferred text editor.
```
$ vi ~/.ssh/config
```
Use /etc/ssh/ssh_config to apply the option to all users in the system, though it will always be overridden if also configured in ~/.ssh/config.
Set the preferred authentication methods in the configuration file and save it.
```
Host *
    PreferredAuthentications publickey,password
```
The following configuration example is to only attempt publickey and password method, in that order.

Attempt to log in to the SSH server without specifying an authentication method.

$ ssh -v 192.168.111.2
user@192.168.111.2: Permission denied (publickey,password).

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.

Discuss the article:

Comment anonymously. Login not required.