When working with SSH authentication, there are scenarios where you might want to bypass your public key authentication temporarily and force password-based login. The default behavior of OpenSSH clients can be frustrating when it keeps prompting for your key's passphrase even when you specifically want to use password authentication.
The common suggestion of using -o PreferredAuthentications=password often doesn't work as expected because:
# This still prompts for key passphrase first:
ssh -o PreferredAuthentications=password user@host
The client still tries to use your SSH key before falling back to password authentication.
Method 1: Temporarily Disable Key Authentication
The most reliable way is to tell SSH not to offer your public key at all:
ssh -o PubkeyAuthentication=no user@host
Method 2: Combined Preferred Authentication
For more precise control, combine multiple options:
ssh -o PreferredAuthentications=keyboard-interactive -o PubkeyAuthentication=no user@host
Method 3: Using a Custom Configuration
Create an alias or host-specific config in ~/.ssh/config:
Host specific-host
HostName host.example.com
User myusername
PubkeyAuthentication no
PreferredAuthentications password
These methods work because:
PubkeyAuthentication=noprevents SSH from even offering your public key- The server never sees your public key, so it defaults to password authentication
- No modifications are needed on the server side
Here's how you might use this in practice:
# Normal connection using SSH keys
ssh production-server
# Temporary password login for troubleshooting
ssh -o PubkeyAuthentication=no backup-server
When you have SSH keys configured, the OpenSSH client will always try to use them first by default. This becomes problematic when:
- You need to use password authentication for a specific server
- Your SSH key has a passphrase and you don't want to enter it
- The server is configured to fall back to password auth but still prompts for key passphrase first
The common suggestion of using:
ssh -o PreferredAuthentications=password host.example.org
often fails because SSH still tries to load your keys first. This happens due to the client's default behavior of loading keys before processing authentication methods.
Here are three reliable ways to bypass SSH keys completely:
1. Using -o IdentitiesOnly=yes
The most effective method is to combine two options:
ssh -o PreferredAuthentications=password -o IdentitiesOnly=yes user@host
IdentitiesOnly=yes tells SSH not to use any keys from your agent, while PreferredAuthentications=password specifies the auth method.
2. Temporary SSH Config
For frequent use with specific hosts, add this to your ~/.ssh/config:
Host special-server
HostName host.example.org
User yourusername
PreferredAuthentications password
IdentitiesOnly yes
Then simply use:
ssh special-server
3. Using an Empty Identity File
Force SSH to use an empty key file:
ssh -o IdentitiesOnly=yes -i /dev/null user@host
For regular use, create an alias in your shell rc file:
alias sshpw='ssh -o PreferredAuthentications=password -o IdentitiesOnly=yes'
Now you can just run:
sshpw user@host
If you're still having issues, use verbose mode to see what's happening:
ssh -vvv -o PreferredAuthentications=password -o IdentitiesOnly=yes user@host
Look for these key lines in the output:
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: password