How to Force Password Authentication When SSH Public Key Fails: Client-Side Workarounds


2 views

When you need to SSH into a server from an untrusted machine, public key authentication becomes a security liability. The standard approach using ssh -o PubkeyAuthentication=no sometimes fails with "Permission denied (publickey)" errors, especially on older OpenSSH versions.

Here are three proven methods to enforce password authentication:

# Method 1: Full authentication reset (modern OpenSSH)
ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no user@host

# Method 2: Alternative approach for older versions
ssh -o PasswordAuthentication=yes -o NumberOfPasswordPrompts=1 user@host

# Method 3: Using a dummy config file
echo "PasswordAuthentication yes" > /tmp/ssh_tempconfig
ssh -F /tmp/ssh_tempconfig user@host

For these methods to work, the remote server must have:

  • PasswordAuthentication yes in /etc/ssh/sshd_config
  • ChallengeResponseAuthentication yes for keyboard-interactive
  • No AuthenticationMethods forcing publickey

If you still get publickey errors:

# Check what authentication methods the server offers
ssh -vvv user@host 2>&1 | grep "Authentications that can continue"

# Test with strict password-only mode
ssh -o PreferredAuthentications=keyboard-interactive -o PubkeyAuthentication=no -o PasswordAuthentication=yes user@host

Remember to:

  • Never enter passwords on compromised machines
  • Clear bash history after password authentication
  • Revoke temporary access by changing passwords

When you need to SSH into a server from an untrusted machine (like a borrowed laptop), public key authentication becomes a security liability. The challenge is forcing password authentication despite having configured keys, without modifying server configurations.

The commonly suggested approach using PreferredAuthentications=password often fails because:

  • Server-side may have PasswordAuthentication no in sshd_config
  • Older OpenSSH versions (pre-6.5) handle authentication methods differently
  • Some SSH servers ignore client-side preference orders

Here are three reliable methods to force password authentication:

Method 1: Using a Non-existent Key


ssh -o IdentitiesOnly=yes -i /nonexistent/keyfile user@host

This tricks SSH into falling back to password auth when key authentication fails.

Method 2: Environment Variable Override


SSH_AUTH_SOCK='' ssh user@host

Clearing the authentication socket prevents SSH from accessing your keys.

Method 3: Configuration Override


ssh -F /dev/null -o PubkeyAuthentication=no user@host

If these methods fail, check the remote server's /etc/ssh/sshd_config for:


PasswordAuthentication yes
ChallengeResponseAuthentication yes
UsePAM yes
  • For OpenSSH < 6.5, add -o PreferredAuthentications=keyboard-interactive
  • If PAM is disabled, try -o KbdInteractiveAuthentication=yes
  • Debug with -vvv to see authentication method attempts

Remember that forcing password authentication on an untrusted machine means:

  • Potential keylogger risk
  • Session hijacking possibilities
  • Always change passwords after such sessions