How can I programmatically detect ssh authentication types available?

Question

I'd like to write a monitoring plugin that checks various hosts on my network to make sure that password or interactive SSH authentication is not enabled. That is, I need to write code that:

1. Connects to an SSH port.
2. Enumerates available authentication methods.
3. Verifies that only key based authentication is possible.

Methods using either python or bourne sh code (using ssh) is most interesting to me, but other languages, libraries or hints are appreciated too.

Answer 1

I'm currently building one myself, however, you can force ssh to output (to STDERR) the supported methods by using the PreferredAuthentications option. This can easily be parsed with grep/python/language of choice.

HostA$ ssh -o PreferredAuthentications=none HostB
Permission denied (publickey,gssapi-with-mic).
HostA$ ssh -o PreferredAuthentications=none HostC
Permission denied (publickey,gssapi-with-mic,password,keyboard-interactive,hostbased).

Answer 2

RFC 4252, which defines authentication in SSH, says the following:

Authentication methods are identified by their name, as defined in [SSH-ARCH]. The "none" method is reserved, and MUST NOT be listed as supported. However, it MAY be sent by the client. The server MUST always reject this request, unless the client is to be granted access without any authentication, in which case, the server MUST accept this request. The main purpose of sending this request is to get the list of supported methods from the server.

So you can send a request for none authentication to get the list of supported ones. However, authentication itself occurs after certain lower-level actions take place (key exchange is one of them) so you might need to write a part of SSH protocol in sh script, which is probably a non-trivial task.