142

I've got a script that SSHes several servers using public key authentication. One of the servers has stopped letting the script log in due to a configuration issue, which means that the script gets stuck with a "Password:" prompt, which it obviously cannot answer, so it doesn't even try the rest of the servers in the list.

Is there a way to tell the ssh client not to prompt for a password if key authentication fails, but instead to just report an error connecting and let my script carry on?

Community
  • 1
rjmunro
  • 2,221
  • 4
  • 18
  • 22

5 Answers5

171

For OpenSSH there is BatchMode, which in addition to disabling password prompting, should disable querying for passphrase(s) for keys.

BatchMode

If set to “yes”, passphrase/password querying will be disabled. This option is useful in scripts and other batch jobs where no user is present to supply the password. The argument must be “yes” or “no”. The default is “no”.

Sample usage:

ssh -oBatchMode=yes -l <user> <host> <dostuff>
Community
  • 1
Kjetil Joergensen
  • 5,854
  • 1
  • 26
  • 20
  • 3
    This disabled public key authentication for me. I was specifying as ssh user@host -C somecommand, however. What eneded up working for me is just `ssh user@host -oPreferredAuthentications=publickey -C 'echo success'` – A.B. Carroll Sep 03 '19 at 07:33
43

  • To disable password authentication for the current ssh connection attempt, pass this option on the command line:

    -o PasswordAuthentication=no

  • To disable password authentication for all future connections to any host add the following to your ~/.ssh/config:

    PasswordAuthentication no

  • To disable it for just some hosts, add the following to ~/.ssh/config:

    Host host1 host2 host3...
    PasswordAuthentication no

The options above apply to out-going ssh connections, i.e. where you're trying to connect to a remote ssh server.

To disable password authentication on an ssh server (i.e. applies to all incoming ssh connections), add PasswordAuthentication no to /etc/ssh/sshd_config and restart sshd.

cas
  • 6,653
  • 31
  • 34
  • 8
    if you don't want to disable password auth for all ssh client connections, you can also specify options on the command line. add '-oPasswordAuthentication=no' to your ssh command. – cas Sep 03 '09 at 11:23
  • 9
    This does not prevent the password prompt. OP's script will still hang. – Joshua Swink Nov 04 '09 at 20:02
  • 2
    @JoshuaSwink: Yes it does. I just tried it (on the command line as `-oPasswordAuthentication=no`. You get an error like `Permission denied (publickey,password).` and it exits immediately. – Timmmm Dec 18 '19 at 16:53
  • Doesn't work for me. Curious to know why not, it seems like it should work. (-oBatchMode=yes and -oNumberOfPasswordPrompts=0 both work for me so YMMV) – Ben Aveling Jul 21 '21 at 06:23
12

If you are using dropbear, just add the "-s" option to disable password authentication.

sybreon
  • 7,357
  • 1
  • 19
  • 19
9

On the command line (or ~/.ssh/config) you can set PreferredAuthentications.

PreferredAuthentications=publickey
slm
  • 7,355
  • 16
  • 54
  • 72
Amandasaurus
  • 30,211
  • 62
  • 184
  • 246
  • I think that, on the command line, you need to wrap the option in quotes and then pass it to the -o option. – Craig Walker Sep 11 '09 at 01:20
  • 5
    @CraigWalker You can also pass it as is, i.e. `ssh -o PreferredAuthentications=publickey` – Tobias Kienzler Oct 29 '13 at 13:33
  • @CraigWalker You need quotes if you wish to use spaces to separate the option and the value e.g. `ssh "-oPreferredAuthentications publickey"` – Timo Mar 14 '18 at 12:02
2

Here is a sample sftp bash script snippet. I am using "-o BatchMode=Yes" to disable the password prompt in case of failure. And check the frp return code to check if the ftp connection failed.

sftp -o "IdentityFile=<YOUR_IDENTTIY_FILE>"  -o "BatchMode=Yes" userName@ftpserver.com <<EOF

cd /$remotepath
mget *.csv $localpath/download

quit
EOF
exit_code=$?
if [[ $exit_code != 0 ]]; then
   echo "sftp error, failed to connect to ftp server" >&2
   exit 1
fi
Sandip S
  • 121
  • 3
  • 1
    Just wanted to add that BatchMode set to yes is what disables the interactive auth (i.e. password prompt). – Rouben Jun 19 '20 at 03:44