SSH Authentication Order: Password and Public Key

passwordpublic-keyssh

When I login via ssh with -v I see that ssh is authenticating the following way 

debug1: Authentications that can continue: publickey,gssapi-with-mic,password,hostbased

I would like to change the order …any idea how?

My bigger problem is that user with locked accounts, can still login via public-keys.
I have found that I could add the user to a group "ssh-locked" add deny that group from sshing, but I am still wondering if there is a way to tell ssh'd:
Please check password before keys…

Best Answer

The ssh server decides which authentication options it allows, the ssh client can be configured to decide in which order to try them.

The ssh client uses the PreferredAuthentications option in the ssh config file to determine this.

From man ssh_config (see it online here):

PreferredAuthentications
             Specifies the order in which the client should try protocol 2 authentication methods.  This allows a client to prefer
             one method (e.g. keyboard-interactive) over another method (e.g. password).  The default is:

                   gssapi-with-mic,hostbased,publickey,
                   keyboard-interactive,password

I don't believe it's possible, without playing with the source, to tell the OpenSSH server to prefer a certain order - if you think about it, it doesn't quite make sense anyway.

Related Topic