Password-based Authentication for SSH

Password-based authentication is the simplest means of authenticating an SSH connection to another machine; the user provides the password for the account at the time of connection, or to another entity that authenticates on the user’s behalf using other mechanisms (Kerberos).

Because passwords are automatically resorted to whenever host-based and public key authentication fail, all the user has to do is connect to another system using ssh without trying the methods above to be prompted for the password:

somehost.usc.edu(1): ssh ttrojan@hostname
ttrojan@hostname's password:

somehost.usc.edu(2): ssh hostname -l ttrojan
ttrojan@hostname's password:

When run without a specified username, ssh assumes the current user’s username:

somehost.usc.edu(1): whoami
ttrojan
somehost.usc.edu(2): ssh hostname
ttrojan@hostname's password:

Kerberos Authentication

Users that have already authenticated with Kerberos and still have a non-expired ticket can use the ticket for authentication with SSH to other systems.

somehost.usc.edu(1): kinit
Password for ttrojan@ITS.USC.EDU:
somehost.usc.edu(2): ssh hostname

Kerberos tickets can also be forwarded when making a connection to another system, by requesting a fowardable ticket when running kinit:

somehost.usc.edu(1): kinit -f
Password for ttrojan@ITS.USC.EDU:
somehost.usc.edu(2): ssh hostname1

hostname1.usc.edu(1): ssh hostname2
hostname2.usc.edu(1):

Kerberos tickets, at this time, are not renewable.

Getting Help

Manual pages are available for the commands ssh, ssh-keygen, ssh-agent, and ssh-add, and can be viewed by running man ssh, man ssh-keygen, man ssh-agent, or man ssh-add, respectively, at the Unix prompt.

The ITS Customer Support Center (CSC) can assist users in running the scripts to create keys but will not extensively support users’ attempts to connect using authentication methods other than passwords.

Contact the ITS Customer Support Center.