SSH aborts with Too many authentication failures
Solution 1:
According to an older* ssh-config(5)
man page, ssh will always try all keys known by the agent in addition to any Identity Files:
IdentitiesOnly
Specifies that ssh(1) should only use the authentication identity files
configured in the ssh_config files, even if ssh-agent(1) offers more
identities. The argument to this keyword must be “yes” or “no”. This
option is intended for situations where ssh-agent offers many different
identities. The default is “no”.
IdentityFile
Specifies a file from which the user's DSA, ECDSA or RSA authentication
identity is read. The default is ~/.ssh/identity for protocol version 1,
and ~/.ssh/id_dsa, ~/.ssh/id_ecdsa and ~/.ssh/id_rsa for protocol
version 2. Additionally, any identities represented by the
authentication agent will be used for authentication. ssh(1) will try
to load certificate information from the filename obtained by
appending -cert.pub to the path of a specified IdentityFile.
To prevent this, one must specify IdentitiesOnly=yes
in addition to the explicitly provided private key.
For example, running the ssh
command below:
$ ssh -i /home/henk/.vagrant.d/insecure_private_key \
[email protected] echo ok
produces:
Received disconnect from 192.168.222.111: 2: Too many authentication
failures for vagrant
However, running the same ssh
command and, in addition, specifying IdentitiesOnly=yes
:
$ ssh -o IdentitiesOnly=yes \
-i /home/henk/.vagrant.d/insecure_private_key [email protected] echo ok
produces:
ok
* Note: The OpenBSD project hosts up to date docs for IdentitiesOnly and IdentityFile. These include extra text for new features that do not change the essence of this answer.
Solution 2:
So I had 5 keys in my ssh-agent
and despite the explicit option of using the vagrant ssh key it still insisted on looping through keys in my agent before reaching max_tries conveniently before getting to the right key.
To check you have this problem:
Run ssh-add -l
- if this list is > 5 you need to remove keys or disable the agent.
To fix:
Run ssh-add -d ~/.ssh/X
where X
is the key you want to remove.
Solution 3:
After I tried all advises here without success, I recognized that my problem was the new authentication method (GSSAPI), which was always unsuccessful.
I solved this by editing ~/.ssh/config
file:
Host *
GSSAPIAuthentication no
Hope this helps somebody too.
Solution 4:
To prevent failure from trying too many keys, we can ssh using -o 'IdentitiesOnly=yes'
e.g ssh -i privateKey -o 'IdentitiesOnly=yes' user@host
alternatively, we can add the following lines to ~/.ssh/config file
Host *
IdentitiesOnly yes
Solution 5:
Your ssh-agent holds more keys than the ssh server allows authentication attempts ("MaxAuthTries", default: 6).
Note that some ssh-agents, in particular the GNOME Keyring, autoload all keys they find in ~/.ssh, and that these keys cannot be unloaded with "ssh-add -[dD]".
Here are some solutions:
- You have configured the correct key in your ~/.ssh/config already, so
you don't need the agent. Make the client ignore the agent, e.g.
unset SSH_AUTH_SOCK
or use "IdentitiesOnly=yes" as @henk-langeveld suggested - Move some keys out of ~/.ssh (a subdir like ~/.ssh/noauto works too) to prevent them from getting auto-loaded. You can still ssh-add them manually if you need them.
- Increase "MaxAuthTries" on the server side, the number of allowed authentication attempts