Home / server / Questions / 61915
Accepted
rjmunro
Asked: 2009-09-04 02:58:01 +0800 CST

How do I make ssh fail rather than prompt for a password if the public-key authentication fails?

  • 772

I've got a script that SSHes several servers using public key authentication. One of the servers has stopped letting the script log in due to a configuration issue, which means that the script gets stuck with a "Password:" prompt, which it obviously cannot answer, so it doesn't even try the rest of the servers in the list.

Is there a way to tell the ssh client not to prompt for a password if key authentication fails, but instead to just report an error connecting and let my script carry on?

authentication ssh public-key

5 Answers

  1. Best Answer

    For OpenSSH there is BatchMode, which in addition to disabling password prompting, should disable querying for passphrase(s) for keys.

    BatchMode

    If set to “yes”, passphrase/password querying will be disabled. This option is useful in scripts and other batch jobs where no user is present to supply the password. The argument must be “yes” or “no”. The default is “no”.

    Sample usage:

    ssh -oBatchMode=yes -l <user> <host> <dostuff>
    • 171

    • To disable password authentication for the current ssh connection attempt, pass this option on the command line:

      -o PasswordAuthentication=no

    • To disable password authentication for all future connections to any host add the following to your ~/.ssh/config:

      PasswordAuthentication no

    • To disable it for just some hosts, add the following to ~/.ssh/config:

      Host host1 host2 host3...
    PasswordAuthentication no

    The options above apply to out-going ssh connections, i.e. where you're trying to connect to a remote ssh server.

    To disable password authentication on an ssh server (i.e. applies to all incoming ssh connections), add PasswordAuthentication no to /etc/ssh/sshd_config and restart sshd.

    • 43

  3. If you are using dropbear, just add the "-s" option to disable password authentication.

    • 12

  4. On the command line (or ~/.ssh/config) you can set PreferredAuthentications.

    PreferredAuthentications=publickey
    • 9

  5. Here is a sample sftp bash script snippet. I am using "-o BatchMode=Yes" to disable the password prompt in case of failure. And check the frp return code to check if the ftp connection failed.

    sftp -o "IdentityFile=<YOUR_IDENTTIY_FILE>"  -o "BatchMode=Yes" [email protected] <<EOF

cd /$remotepath
mget *.csv $localpath/download

quit
EOF
exit_code=$?
if [[ $exit_code != 0 ]]; then
   echo "sftp error, failed to connect to ftp server" >&2
   exit 1
fi
    • 2