I currently have a lot of keys in my .ssh and this is sometimes a problem when logging into a system where I have to use a password because the total allowed authentication attempts are exceeded before it gets to the password. So I had been using "-o PreferredAuthentications=password" in those cases. But I just found that there's a gotcha with this... on a specific host that had a pam configuration to use a 2nd factor (google-authenticator) I kept getting "Permission denied; please try again." after the password prompt and never getting to the prompt for the authenticator code. From a different client where I didn't need to use the PreferredAuthentications option it worked fine. Eventually I noticed two things... 1) The password prompt was different; when I used PreferredAuthentications it looked like "user@host password:", but when I didn't use that option it just says "Password:" (note the capital "P"). 2) Using "-o PubkeyAuthentication=no" instead of PreferredAuthentications resolved my problem. It would seem that depending on those options the interaction between sshd and PAM is different. Is this is a bug, or am I missing something about the semantics of 'PreferredAuthentications=password'? Cheers, - Jürgen _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
