On Tue, 20 Jul 2021, Jürgen Botz wrote: > I currently have a lot of keys in my .ssh and this is sometimes a > problem when logging into a system where I have to use a password > because the total allowed authentication attempts are exceeded > before it gets to the password. So I had been using > "-o PreferredAuthentications=password" in those cases. But I just > found that there's a gotcha with this... on a specific host that had > a pam configuration to use a 2nd factor (google-authenticator) I > kept getting "Permission denied; please try again." after the > password prompt and never getting to the prompt for the authenticator > code. From a different client where I didn't need to use the > PreferredAuthentications option it worked fine. Eventually I noticed > two things... > > 1) The password prompt was different; when I used > PreferredAuthentications it looked like "user@host password:", but > when I didn't use that option it just says "Password:" (note the capital > "P"). > > 2) Using "-o PubkeyAuthentication=no" instead of > PreferredAuthentications resolved my problem. > > It would seem that depending on those options the interaction between > sshd and PAM is different. Is this is a bug, or am I missing something > about the semantics of 'PreferredAuthentications=password'? As others have pointed out, setting this option to just password also disables the other authentication method that is often used for password (and challenge-response) authentication. You probably want: PreferredAuthentications=keyboard-interactive,password -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
