Lately I noticed that when I want to ssh to a server using a password I need to specify -o PubkeyAuthentication=no
or I won’t be asked for a password and the authentication will fail (well, for all I know, setting some other option may work too).
I use password authentication only once on freshly installed servers/vms, so it’s not a huge deal, but… it still bothers me (mainly because I don’t remember which option to set).
Do you guys have any idea what it may be?
client's ~/.ssh/config
Host 127.*.*.* 192.168.*.* 10.*.*.* 172.16.*.* 172.17.*.* 172.18.*.* 172.19.*.* 172.2?.*.* 172.30.*.* 172.31.*.*
LogLevel quiet
Stricthostkeychecking no
Userknownhostsfile /dev/null
Host *
ForwardAgent no
AddKeysToAgent no
Compression yes
ServerAliveInterval 10
ServerAliveCountMax 3
HashKnownHosts no
UserKnownHostsFile ~/.ssh/known_hosts
ControlMaster no
ControlPath ~/.ssh/master-%r@%n:%p
ControlPersist no
server's /etc/ssh/sshd_config
(it's from the nixos install iso)
AuthorizedPrincipalsFile none
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
GatewayPorts no
KbdInteractiveAuthentication yes
KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
LogLevel INFO
Macs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
PasswordAuthentication yes
PermitRootLogin yes
PrintMotd no
StrictModes yes
UseDns no
UsePAM yes
X11Forwarding no
Banner none
AddressFamily any
Port 22
Subsystem sftp /nix/store/78mv13w9mgh0s0rd7rnr6ff4d7a39bpd-openssh-9.7p1/libexec/sftp-server
AuthorizedKeysFile %h/.ssh/authorized_keys /etc/ssh/authorized_keys.d/%u
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
How would that improve security when all a bad actor has to do is add
-o PubkeyAuthentication=no
on their side?Also, I’m pretty sure it used to just ask for a password?
You would want to disable password authentication on the host.
I’m not part of the OpenSSH team so I don’t know the rational of the defaults
-o PubkeyAuthentication=no
should only work if the server is configured to allow password auth at all. I believe the advice these days is to disable password auth completely for security.