Hi,
By setting PreferredAuthentications to just "password," you are disabling *all* other methods, such as KbdInteractive. Whereas, by setting Pubkeyauthentication=no, you are just disabling public-key authentication.
--
Iain
On 7/20/21, 14:14, "openssh-unix-dev on behalf of Jürgen Botz" <openssh-unix-dev-bounces+iain.morgan=nasa.gov@xxxxxxxxxxx on behalf of jurgen@xxxxxxxx> wrote:
I currently have a lot of keys in my .ssh and this is sometimes a
problem when logging into a system where I have to use a password
because the total allowed authentication attempts are exceeded
before it gets to the password. So I had been using
"-o PreferredAuthentications=password" in those cases. But I just
found that there's a gotcha with this... on a specific host that had
a pam configuration to use a 2nd factor (google-authenticator) I
kept getting "Permission denied; please try again." after the
password prompt and never getting to the prompt for the authenticator
code. From a different client where I didn't need to use the
PreferredAuthentications option it worked fine. Eventually I noticed
two things...
1) The password prompt was different; when I used
PreferredAuthentications it looked like "user@host password:", but
when I didn't use that option it just says "Password:" (note the capital
"P").
2) Using "-o PubkeyAuthentication=no" instead of
PreferredAuthentications resolved my problem.
It would seem that depending on those options the interaction between
sshd and PAM is different. Is this is a bug, or am I missing something
about the semantics of 'PreferredAuthentications=password'?
Cheers,
- Jürgen
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
