Configuring SSH Authentication Order: How to Prioritize Password Before Public Key Authentication


1 views

When examining SSH authentication flow with ssh -v, we typically see output like:

debug1: Authentications that can continue: publickey,gssapi-with-mic,password,hostbased

This reveals the default authentication order where publickey takes precedence. This can create security concerns when:

  • Account locking mechanisms are bypassed via publickey auth
  • You want to enforce password validation first
  • Compliance requires multi-factor authentication sequence

The solution lies in the AuthenticationMethods directive in /etc/ssh/sshd_config:

# Force password authentication before publickey
AuthenticationMethods password publickey

# Alternative: Require both methods
AuthenticationMethods password,publickey

For group-based restrictions, combine with Match blocks:

Match Group ssh-locked
    AuthenticationMethods password
    PasswordAuthentication yes
    PubkeyAuthentication no

Here's a complete configuration snippet for enforcing password-first authentication:

# /etc/ssh/sshd_config
PasswordAuthentication yes
PubkeyAuthentication yes
AuthenticationMethods password publickey

# Locked accounts group policy
Match Group restricted-users
    AuthenticationMethods password
    PermitEmptyPasswords no
    MaxAuthTries 3

After modifying the config:

  1. sudo systemctl restart sshd
  2. Test with ssh -vvv user@host
  3. Check auth logs: tail -f /var/log/auth.log

Expected successful output:

debug1: Authentications that can continue: password,publickey
debug1: Next authentication method: password
user@host's password:
  • Always maintain at least one backup authentication method
  • Combine with fail2ban for brute force protection
  • Consider using PAM modules for additional checks
  • Document changes for team awareness

When examining SSH debug output (-v flag), you'll notice the default authentication order:

debug1: Authentications that can continue: publickey,gssapi-with-mic,password,hostbased

This reveals that SSH attempts public key authentication before password validation, which can lead to security concerns - particularly when dealing with locked accounts that still have valid public keys.

The fundamental problem manifests when:

  • User accounts get locked via passwd -l or PAM mechanisms
  • Existing authorized_keys entries remain valid
  • SSH's default authentication order bypasses account status checks

To modify the authentication order, edit your /etc/ssh/sshd_config:

# Force password authentication before public key
AuthenticationMethods password,publickey
PasswordAuthentication yes
PubkeyAuthentication yes

This configuration change ensures:

  1. SSH first validates account status via password authentication
  2. Only then proceeds to public key verification if password succeeds

For more granular control, implement group-based restrictions:

Match Group ssh-locked
    AuthenticationMethods password
    PasswordAuthentication yes
    PubkeyAuthentication no

Match All
    AuthenticationMethods publickey,password

After making changes, test with:

ssh -v user@host

You should now see password authentication attempted first:

debug1: Authentications that can continue: password,publickey
  • Ensure PAM is properly configured for account locking
  • Consider using AllowUsers/AllowGroups for additional restrictions
  • Remember to restart sshd (systemctl restart sshd) after config changes