If you have a lot of SSH keys loaded you may run into the dreaded:
This happens because the SSH client tries each key in order, until it finds one that works. The SSH server allows only so many authentication attempts before kicking the client to the curb (default 6, controlled by the MaxAuthTries setting). Fortunately, there’s a fix.
The simple solution is to remove any extraneous keys, and I have a whole blog post about key management. However, there are legitimate reasons to have a lot of keys loaded and manually managing them is a pain. The alternative is to do a little house keeping and specify which keys belong to which hosts.
You need to configure which key (“IdentityFile”) goes with which domain (or host). You also want to handle the case when the specified key doesn’t work, which would usually be because the public key isn’t in ~/.ssh/authorized_keys on the server. The default is for SSH to then try any other keys it has access to, which takes us back to too many attempts. Setting “IdentitiesOnly” to “yes” tells SSH to only try the specified key and, if that fails, fall through to password authentication (presuming the server allows it).
Your ~/.ssh/config would look like:
1 2 3 4 5 6 7 8 9
Note that you can have multiple
IdentityFile directives, handling
the case where not all servers have the same key.
1 2 3 4
IdentitiesOnly yes this will cause both keys to be
tried before falling back to password authentication.
Finally, in a pinch you can do this from the command line:
Alternatively, if you are trying to get to a host without authorized_keys, you can skip the keys altogether with:
And you’re in!