If you have a lot of SSH keys loaded you may run into the dreaded:

1
Received disconnect from 10.10.10.10: 2: Too many authentication failures for spike

This happens because the SSH client tries each key in order, until it finds one that works. The SSH server allows only so many authentication attempts before kicking the client to the curb (default 6, controlled by the MaxAuthTries setting). Fortunately, there’s a fix.

The simple solution is to remove any extraneous keys, and I have a whole blog post about key management. However, there are legitimate reasons to have a lot of keys loaded and manually managing them is a pain. The alternative is to do a little house keeping and specify which keys belong to which hosts.

You need to configure which key (“IdentityFile”) goes with which domain (or host). You also want to handle the case when the specified key doesn’t work, which would usually be because the public key isn’t in ~/.ssh/authorized_keys on the server. The default is for SSH to then try any other keys it has access to, which takes us back to too many attempts. Setting “IdentitiesOnly” to “yes” tells SSH to only try the specified key and, if that fails, fall through to password authentication (presuming the server allows it).

Your ~/.ssh/config would look like:

1
2
3
4
5
6
7
8
9
Host *.example.com
  IdentitiesOnly yes
  IdentityFile ~/.ssh/example_rsa
Host secure.example.com
  IdentitiesOnly yes
  IdentityFile ~/.ssh/secure_rsa
Host *.other.domain
  IdentitiesOnly yes
  IdentityFile ~/.ssh/other_rsa

Note that you can have multiple IdentityFile directives, handling the case where not all servers have the same key.

1
2
3
4
Host *.example.com
  IdentitiesOnly yes
  IdentityFile ~/.ssh/example_rsa
  IdentityFile ~/.ssh/example_dsa

Combined with IdentitiesOnly yes this will cause both keys to be tried before falling back to password authentication.

Finally, in a pinch you can do this from the command line:

1
ssh -o IdentitiesOnly=yes -i ~/.ssh/example_rsa foo.example.com

Alternatively, if you are trying to get to a host without authorized_keys, you can skip the keys altogether with:

1
ssh -o PubkeyAuthentication=no other.example.com

And you’re in!

Comments