I’ve long used public/private keys as my default way of authenticating via SSH, for the following reasons:
- I don’t need to share my credentials with whoever creates the account.
- I can opt for an empty passphrase when creating keys, which removes the annoying requirement to keep entering a password, and is particularly useful with automated tasks such as backups.
I also disable password authentication for SSH on the server side, for these reasons:
- It removes the possibility of someone gaining access by correctly guessing a password.
- It removes the need to check whether a password is correct, which could be a relatively expensive operation – especially if passwords are stored on another server and accessed via LDAP or SQL.
Once I’ve done this, the question is how to check that SSH is configured correctly, i.e. that attempts to authenticate with a password fail, even with the correct password? I can’t use a basic ssh user@host, because that will try my key first and never get as far as the password. Fortunately though, the SSH client has a PreferredAuthentications=password option, which effectively tries password authentication first:
ssh -o PreferredAuthentications=password user@host
That’s all you need to force password authentication.