SSH: Use password authentication despite availability of key-pair

Introduction

In this brief article we'll talk about a request I recently received from an application team in our organization. Here's the requirement:

"We have password less authentication configured between two users but we would like to login using a password as well when we need to."

I did try to explain that if key based authentication is rejected then SSH will default to password based authentication anyway unless it's set to no in the sshd_config file. The parameter I'm talking about is PasswordAuthentication and is set to yes by default.

To facilitate this requirement we need to use the PreferredAuthentications options with the ssh command and set it's value to password.

I'll now demonstrate using this option in a practical scenario.

The setup:

I'm working on a Centos 7.6 system and have created two users test_user1 and test_user2. I've copied the public key for test_user1 over to the authorized_keys file for test_user2 to facilitate password less login.

[test_user@bolt-lab ~]$ ssh-copy-id test_user2@bolt-lab
/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/test_user/.ssh/id_dsa.pub"
/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
test_user2@bolt-lab's password:

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'test_user2@bolt-lab'"
and check to make sure that only the key(s) you wanted were added.

The key has been copied over successfully. Now let's verify by logging in.

[test_user@bolt-lab ~]$ ssh test_user2@bolt-lab
[test_user2@bolt-lab ~]$

Now let's try to login with the PreferredAuthentications option set to password.

[test_user@bolt-lab ~]$ ssh -o PreferredAuthentications=password test_user2@bolt-lab

test_user2@bolt-lab's password:

[test_user2@bolt-lab ~]$

There you have it. This option works.

Q) Now we know that this option works for SSH but what about SFTP and SCP?

A) It does work with these as well and here is a demo to verify.

[test_user@bolt-lab ~]$ sftp test_user2@bolt-lab

Connected to bolt-lab.

sftp> ^D

[test_user@bolt-lab ~]$

[test_user@bolt-lab ~]$ sftp -o PreferredAuthentications=password test_user2@bolt-lab

test_user2@bolt-lab's password:

Connected to bolt-lab.

sftp> ^D

[test_user@bolt-lab ~]$

[test_user@bolt-lab ~]$ touch abc.txt

[test_user@bolt-lab ~]$ scp abc.txt test_user2@bolt-lab:~

abc.txt                                                                                                                  100%    0     0.0KB/s   00:00

[test_user@bolt-lab ~]$ scp -o PreferredAuthentications=password abc.txt test_user2@bolt-lab:~

test_user2@bolt-lab's password:

abc.txt                                                                                                                  100%    0     0.0KB/s   00:00

[test_user@bolt-lab ~]$

Conclusion

We hope you found this article useful and it encourages you to explore more options and flags pertaining to the SSH protocol.