RCA-2026-03-16-002: SSH Config Order

Executive Summary

SSH to Cisco ISE failed with "Permission denied" without prompting for password. Root cause: Host * block in SSH config set PasswordAuthentication no before the ISE-specific block was processed. SSH config uses first-match-wins for each option, so global defaults must come AFTER device-specific exceptions.

Timeline

Time Event

Time	Event
2026-03-16 12:30	Attempted `ssh ise-02`, got "Permission denied (publickey,password)"
2026-03-16 12:35	Tried various SSH options, still no password prompt
2026-03-16 12:40	Verbose output showed SSH trying keys, never attempting password
2026-03-16 12:45	Identified `Host *` block setting `PasswordAuthentication no` before ISE block
2026-03-16 12:47	Confirmed fix with explicit options on command line

2026-03-16 12:30

Attempted ssh ise-02, got "Permission denied (publickey,password)"

2026-03-16 12:35

Tried various SSH options, still no password prompt

2026-03-16 12:40

Verbose output showed SSH trying keys, never attempting password

2026-03-16 12:45

Identified Host * block setting PasswordAuthentication no before ISE block

2026-03-16 12:47

Confirmed fix with explicit options on command line

Metadata

Field	Value
RCA ID	RCA-2026-03-16-002
Author	Evan Rosado
Date Created	2026-03-16
Status	Final

Field

Value

RCA ID

RCA-2026-03-16-002

Author

Evan Rosado

Date Created

2026-03-16

Status

Final