SSH aborts with Too many authentication failures

Solution 1:

According to an older* ssh-config(5) man page, ssh will always try all keys known by the agent in addition to any Identity Files:

 IdentitiesOnly

         Specifies that ssh(1) should only use the authentication identity files
         configured in the ssh_config files, even if ssh-agent(1) offers more
         identities.  The argument to this keyword must be “yes” or “no”.  This
         option is intended for situations where ssh-agent offers many different
         identities.  The default is “no”.


 IdentityFile
         Specifies a file from which the user's DSA, ECDSA or RSA authentication
         identity is read.  The default is ~/.ssh/identity for protocol version 1,
         and ~/.ssh/id_dsa, ~/.ssh/id_ecdsa and ~/.ssh/id_rsa for protocol
         version 2.  Additionally, any identities represented by the  
         authentication agent will be used for authentication.  ssh(1) will try
         to load certificate information from the filename obtained by
         appending -cert.pub to the path of a specified IdentityFile.

To prevent this, one must specify IdentitiesOnly=yes in addition to the explicitly provided private key.

For example, running the ssh command below:

$ ssh -i /home/henk/.vagrant.d/insecure_private_key \
  [email protected] echo ok

produces:

Received disconnect from 192.168.222.111: 2: Too many authentication 
failures for vagrant

However, running the same ssh command and, in addition, specifying IdentitiesOnly=yes:

$ ssh -o IdentitiesOnly=yes \
  -i /home/henk/.vagrant.d/insecure_private_key [email protected] echo ok

produces:

ok

* Note: The OpenBSD project hosts up to date docs for IdentitiesOnly and IdentityFile. These include extra text for new features that do not change the essence of this answer.

Solution 2:

So I had 5 keys in my ssh-agent and despite the explicit option of using the vagrant ssh key it still insisted on looping through keys in my agent before reaching max_tries conveniently before getting to the right key.

To check you have this problem: Run ssh-add -l - if this list is > 5 you need to remove keys or disable the agent.

To fix: Run ssh-add -d ~/.ssh/X where X is the key you want to remove.

Solution 3:

After I tried all advises here without success, I recognized that my problem was the new authentication method (GSSAPI), which was always unsuccessful.

I solved this by editing ~/.ssh/config file:

Host *
  GSSAPIAuthentication no

Hope this helps somebody too.

Solution 4:

To prevent failure from trying too many keys, we can ssh using -o 'IdentitiesOnly=yes' e.g ssh -i privateKey -o 'IdentitiesOnly=yes' user@host

alternatively, we can add the following lines to ~/.ssh/config file

Host *
IdentitiesOnly yes

Solution 5:

Your ssh-agent holds more keys than the ssh server allows authentication attempts ("MaxAuthTries", default: 6).

Note that some ssh-agents, in particular the GNOME Keyring, autoload all keys they find in ~/.ssh, and that these keys cannot be unloaded with "ssh-add -[dD]".

Here are some solutions:

  • You have configured the correct key in your ~/.ssh/config already, so you don't need the agent. Make the client ignore the agent, e.g. unset SSH_AUTH_SOCK or use "IdentitiesOnly=yes" as @henk-langeveld suggested
  • Move some keys out of ~/.ssh (a subdir like ~/.ssh/noauto works too) to prevent them from getting auto-loaded. You can still ssh-add them manually if you need them.
  • Increase "MaxAuthTries" on the server side, the number of allowed authentication attempts