Re: Unexpected behavior with "-o PreferredAuthentications=password"

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Tue, 20 Jul 2021, Jürgen Botz wrote:

> I currently have a lot of keys in my .ssh and this is sometimes a
> problem when logging into a system where I have to use a password
> because the total allowed authentication attempts are exceeded
> before it gets to the password. So I had been using
> "-o PreferredAuthentications=password" in those cases.  But I just
> found that there's a gotcha with this... on a specific host that had
> a pam configuration to use a 2nd factor (google-authenticator) I
> kept getting "Permission denied; please try again." after the
> password prompt and never getting to the prompt for the authenticator
> code.  From a different client where I didn't need to use the
> PreferredAuthentications option it worked fine.  Eventually I noticed
> two things...
> 
> 1) The password prompt was different; when I used
> PreferredAuthentications it looked like "user@host password:", but
> when I didn't use that option it just says "Password:" (note the capital
> "P").
> 
> 2) Using "-o PubkeyAuthentication=no" instead of
> PreferredAuthentications resolved my problem.
> 
> It would seem that depending on those options the interaction between
> sshd and PAM is different.  Is this is a bug, or am I missing something
> about the semantics of 'PreferredAuthentications=password'?

As others have pointed out, setting this option to just password
also disables the other authentication method that is often used
for password (and challenge-response) authentication.

You probably want:

PreferredAuthentications=keyboard-interactive,password

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux