Lately I noticed that when I want to ssh to a server using a password I need to specify -o PubkeyAuthentication=no or I won’t be asked for a password and the authentication will fail (well, for all I know, setting some other option may work too).

I use password authentication only once on freshly installed servers/vms, so it’s not a huge deal, but… it still bothers me (mainly because I don’t remember which option to set).

Do you guys have any idea what it may be?

client's ~/.ssh/config
Host 127.*.*.* 192.168.*.* 10.*.*.* 172.16.*.* 172.17.*.* 172.18.*.* 172.19.*.* 172.2?.*.* 172.30.*.* 172.31.*.*
  LogLevel quiet
  Stricthostkeychecking no
  Userknownhostsfile /dev/null

Host *
  ForwardAgent no
  AddKeysToAgent no
  Compression yes
  ServerAliveInterval 10
  ServerAliveCountMax 3
  HashKnownHosts no
  UserKnownHostsFile ~/.ssh/known_hosts
  ControlMaster no
  ControlPath ~/.ssh/master-%r@%n:%p
  ControlPersist no
server's /etc/ssh/sshd_config (it's from the nixos install iso)
AuthorizedPrincipalsFile none
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
GatewayPorts no
KbdInteractiveAuthentication yes
KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
LogLevel INFO
Macs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
PasswordAuthentication yes
PermitRootLogin yes
PrintMotd no
StrictModes yes
UseDns no
UsePAM yes
X11Forwarding no
Banner none
AddressFamily any
Port 22
Subsystem sftp /nix/store/78mv13w9mgh0s0rd7rnr6ff4d7a39bpd-openssh-9.7p1/libexec/sftp-server 
AuthorizedKeysFile %h/.ssh/authorized_keys /etc/ssh/authorized_keys.d/%u
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
  • telemaphone@beehaw.org
    link
    fedilink
    arrow-up
    7
    ·
    2 months ago

    How many private keys do you happen to have in .ssh? MaxAuthTries defaults to 6, and keys are always tried before you are prompted for a password. Unless you set PubkeyAuthentication=no, or specify a single key, the ssh client will happily grind through each key until the server cuts you off.

    • sgibson5150@slrpnk.net
      link
      fedilink
      arrow-up
      1
      ·
      2 months ago

      I ran into this today using ssh-copy-id on a new Debian box. Seems like that tool is biased toward copying a second key instead of a first. Either that or they assume most users use one key pair everywhere (and thus only have one loaded in their agent). I use one key pair per user per box. Excessive? 🤔