While debugging a different issue in curl, I was wondering why the configuration option `KbdInteractiveAuthentication no` does not affect what authentication options are used. The authentication is handled by the application state machine calling `ssh_userauth_kbdint()` unconditionally and the flags set by the configuration are handled only in `ssh_userauth_publickey_auto()`. https://gitlab.com/libssh/libssh-mirror/-/blob/master/src/auth.c?ref_type=heads#L1192 I think the similar block should be at the beginning of every auth function to skip the authentication methods we do not want to use. But this looks like it would not solve issues such as https://github.com/curl/curl/pull/11197 where curl fail to fallback from the kbdinteractive authentication to password.