During an SSH connection, I started getting the “Too many authentication failures” error message from a remote host.
Contents
The error, and its cause
Actually, the root cause is simple: during establishing a new SSH connection, the local ssh-client first tries to use keys, that are loaded by the local ssh-agent
, and only after that will use a key, that is specified with the -i
option.
The error looks like the next:
[simterm]
$ ssh [email protected] -i /home/setevoy/Dropbox/AWS/setevoy-do-nextcloud-production-d10-03-11 Received disconnect from 139.59.205.180 port 22:2: Too many authentication failures Disconnected from 139.59.205.180 port 22
[/simterm]
To be sure, this is the cause, and the ssh client first uses keys from the ssh-agent
, run the connection in the debug mode by adding the -v
option:
[simterm]
$ ssh -v [email protected] -i /home/setevoy/AWS/setevoy-do-nextcloud-production-d10-03-11 ... debug1: Offering public key: /home/setevoy/Work/aws-credentials/jenkins-production-eu-west-1.pem RSA SHA256:19/1clohkik2LHC8pyIT0JxAz8/kbjEPhBT6UyxPBaw agent debug1: Authentications that can continue: publickey debug1: Offering public key: setevoy@setevoy-arch-work RSA SHA256:r90LWLY/HpQ/fRinmopKyXOGxrcy2ZPJp2ua7mvZFg4 agent debug1: Authentications that can continue: publickey debug1: Offering public key: Github setevoy2 SSH RSA SHA256:JxeiYfC236wtrdFuADpldciGT86RglAk0vRH7UDpaX8 agent debug1: Authentications that can continue: publickey debug1: Offering public key: /home/setevoy/Work/aws-credentials/mobilebackend-bastion-stage-us-east-2.pem RSA SHA256:SAdCEuO3MRMe+Jfo3310OBPDFbYhodlsBxiomF2THHw agent debug1: Authentications that can continue: publickey debug1: Offering public key: /home/setevoy/Work/aws-credentials/mobilebackend-stage-us-east-2.pem RSA SHA256:/MV7A6GRRYRMWyKWINy5xfFp94+2F90Pai3hLC3uFVQ agent debug1: Authentications that can continue: publickey debug1: Offering public key: /home/setevoy/Work/aws-credentials/bm-world-production.pem RSA SHA256:akVDdE5TwELN/RZ0ALgFphyAvRA4qiZUxItHoFTl0FY agent Received disconnect from 139.59.205.180 port 22:2: Too many authentication failures Disconnected from 139.59.205.180 port 22
[/simterm]
And list keys, that are currently loaded by the agent:
[simterm]
$ ssh-add -l 2048 SHA256:19/1clohkik2LHC8pyIT0JxAz8/kbjEPhBT6UyxPBaw /home/setevoy/Work/aws-credentials/jenkins-production-eu-west-1.pem (RSA) 3072 SHA256:r90LWLY/HpQ/fRinmopKyXOGxrcy2ZPJp2ua7mvZFg4 setevoy@setevoy-arch-work (RSA) 3072 SHA256:JxeiYfC236wtrdFuADpldciGT86RglAk0vRH7UDpaX8 Github setevoy2 SSH (RSA) 2048 SHA256:SAdCEuO3MRMe+Jfo3310OBPDFbYhodlsBxiomF2THHw /home/setevoy/Work/aws-credentials/mobilebackend-bastion-stage-us-east-2.pem (RSA) 2048 SHA256:/MV7A6GRRYRMWyKWINy5xfFp94+2F90Pai3hLC3uFVQ /home/setevoy/Work/aws-credentials/mobilebackend-stage-us-east-2.pem (RSA) 2048 SHA256:akVDdE5TwELN/RZ0ALgFphyAvRA4qiZUxItHoFTl0FY /home/setevoy/Work/aws-credentials/bm-world-production.pem (RSA) 3072 SHA256:gxWQRigVqmX5uV9FRa4j8NnfOEKCQ8YtaEtX79PoRTM /home/setevoy/AWS/setevoy-do-nextcloud-production-d10-03-11 (RSA)
[/simterm]
As we can see for the output above, the last key, which is the correct one for the current remote host, the setevoy-do-nextcloud-production-d10-03-11
, is even does not reached as remote ssh-server begins rejecting new connections.
The solution
To avoid this, we can use the IdentitiesOnly
option for the local ssh client with the “yes” value:
[simterm]
$ ssh -o IdentitiesOnly=yes [email protected] -i /home/setevoy/Dropbox/AWS/setevoy-do-nextcloud-production-d10-03-11 Linux rtfm-do-production-d10 4.19.0-12-cloud-amd64 #1 SMP Debian 4.19.152-1 (2020-10-18) x86_64 ... Last login: Sat Mar 12 14:17:55 2022 from 176.***.***.170 root@rtfm-do-production-d10:~#
[/simterm]
To make it persistent, add the following to the ~/.ssh/config
file:
Host * IdentitiesOnly=yes
Done.