Lately I noticed that when I want to ssh to a server using a password I need to specify -o PubkeyAuthentication=no or I won’t be asked for a password and the authentication will fail (well, for all I know, setting some other option may work too).
I use password authentication only once on freshly installed servers/vms, so it’s not a huge deal, but… it still bothers me (mainly because I don’t remember which option to set).
Do you guys have any idea what it may be?
client's ~/.ssh/config
Host 127.*.*.* 192.168.*.* 10.*.*.* 172.16.*.* 172.17.*.* 172.18.*.* 172.19.*.* 172.2?.*.* 172.30.*.* 172.31.*.*
LogLevel quiet
Stricthostkeychecking no
Userknownhostsfile /dev/null
Host *
ForwardAgent no
AddKeysToAgent no
Compression yes
ServerAliveInterval 10
ServerAliveCountMax 3
HashKnownHosts no
UserKnownHostsFile ~/.ssh/known_hosts
ControlMaster no
ControlPath ~/.ssh/master-%r@%n:%p
ControlPersist no
server's /etc/ssh/sshd_config (it's from the nixos install iso)
AuthorizedPrincipalsFile none
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
GatewayPorts no
KbdInteractiveAuthentication yes
KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
LogLevel INFO
Macs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
PasswordAuthentication yes
PermitRootLogin yes
PrintMotd no
StrictModes yes
UseDns no
UsePAM yes
X11Forwarding no
Banner none
AddressFamily any
Port 22
Subsystem sftp /nix/store/78mv13w9mgh0s0rd7rnr6ff4d7a39bpd-openssh-9.7p1/libexec/sftp-server
AuthorizedKeysFile %h/.ssh/authorized_keys /etc/ssh/authorized_keys.d/%u
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
That’s the expected behavior as ssh password authentication is not secure.
You can force the ssh client to use passwords in the ssh_config file (either local or global)
How would that improve security when all a bad actor has to do is add -o PubkeyAuthentication=no on their side?
Also, I’m pretty sure it used to just ask for a password?
If you’re trying to have password auth be a second layer on top of key auth (requiring a password after connecting with your ssh key), you can add the following to your server’s sshd_conf:
AuthenticationMethods "publickey,password"
Now that’s a neat idea! (not sure I’ll ever implement it though: having passwords on my ssh keys is already enough of a hassle, plus having provisioning and scripts ask for password is a PITA)
Anyway, I was just trying to authenticate with a password, like we used to back in the day :)
(it’s only for install isos or freshly installed systems that I’ve not provisioned yet - everything else requires a key).
How many private keys do you happen to have in .ssh? MaxAuthTries defaults to 6, and keys are always tried before you are prompted for a password. Unless you set PubkeyAuthentication=no, or specify a single key, the ssh client will happily grind through each key until the server cuts you off.
I ran into this today using ssh-copy-id on a new Debian box. Seems like that tool is biased toward copying a second key instead of a first. Either that or they assume most users use one key pair everywhere (and thus only have one loaded in their agent). I use one key pair per user per box. Excessive? 🤔
I’ve slept since the last time I set up sshd on a new install. Do you need to be able to authenticate with a password when you ssh-copy-id on a user without a public key?
Edit: Silly me. Yes, password is required.
