SSH - Too Many Authentication Failures

1 minute read

If you have a lot of SSH keys loaded you may run into the dreaded:

Received disconnect from 2: Too many authentication failures for spike

This happens because the SSH client tries each key in order, until it finds one that works. The SSH server allows only so many authentication attempts before kicking the client to the curb (default 6, controlled by the MaxAuthTries setting). Fortunately, there’s a fix. The simple solution is to remove any extraneous keys, and I have a whole blog post about key management. However, there are legitimate reasons to have a lot of keys loaded and manually managing them is a pain. The alternative is to do a little house keeping and specify which keys belong to which hosts.

You need to configure which key (“IdentityFile”) goes with which domain (or host). You also want to handle the case when the specified key doesn’t work, which would usually be because the public key isn’t in ~/.ssh/authorized_keys on the server. The default is for SSH to then try any other keys it has access to, which takes us back to too many attempts. Setting “IdentitiesOnly” to “yes” tells SSH to only try the specified key and, if that fails, fall through to password authentication (presuming the server allows it).

Your ~/.ssh/config would look like:

Host *
  IdentitiesOnly yes
  IdentityFile ~/.ssh/example_rsa
  IdentitiesOnly yes
  IdentityFile ~/.ssh/secure_rsa
Host *.other.domain
  IdentitiesOnly yes
  IdentityFile ~/.ssh/other_rsa

Note that you can have multiple IdentityFile directives, handling the case where not all servers have the same key.

Host *
  IdentitiesOnly yes
  IdentityFile ~/.ssh/example_rsa
  IdentityFile ~/.ssh/example_dsa

Combined with IdentitiesOnly yes this will cause both keys to be tried before falling back to password authentication.

Finally, in a pinch you can do this from the command line:

ssh -o IdentitiesOnly=yes -i ~/.ssh/example_rsa

Alternatively, if you are trying to get to a host without authorized_keys, you can skip the keys altogether with:

ssh -o PubkeyAuthentication=no

And you’re in!

Tags: ,