Received disconnect from: Too many authentication failures for ubuntu

Short answer: Add IdentitiesOnly yes to your .ssh/config file.

Long answer:

I was receiving the error message “Received disconnect from X.X.X.X: 2: Too many authentication failures for ubuntu” while trying to login to some of my servers. Tried logging into various other servers and some worked and some didn’t. I was using public key authentication and I know the keys were correct so I tried logging into the failing servers from other machines and they all worked, same keys, so the keys were all good and the server was working just fine.

Time to ssh -vvv to see what errors were occuring. At the end of the output I was seeing a lot of this:

...
debug1: Offering RSA public key: wes@desktop
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey
debug1: Offering RSA public key: wes@desktop
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey
...

Ok, so it looks like my public keys are failing. I’m using my .ssh/config file to assign specific IdentityFiles to Hosts, perhaps that was failing so I tried passing the path to the IdentityFile directly via ssh -i. Still nothing, it still is passing several publickeys and failing on all of them. My servers all have the default setting in the sshd_config for MaxAuthTries set to 6, increasing that helps but that’s not the direction I want to change that value and I don’t want to do that across dozens of servers and this appears to be a client side problem.

Next up, I did a little googling around and ran ssh-add -L and see that ssh-agent has cached 6 public keys. ssh automatically tries those 6 keys first always and then tries the ones you specify on command line or in your config file. That’s not really super cool, I guess it assumes you are using the same key or it needs a default to look for and try. One option was to run ssh-add -D, that wasn’t really working and doesn’t directly solve the problem. Instead I read the manual, what a novel idea, and found the setting IdentitiesOnly and set it to yes, what this does is instead of checking ssh-agent for cached keys it will use your defined identity file only… MUCH better! So, just add IdentitiesOnly yes to your .ssh/config file and you are set. Or put this in the /etc/ssh/ssh_config file for the entire system.

7 thoughts on “Received disconnect from: Too many authentication failures for ubuntu

  1. Andrew Lombardi

    Thank you very much for the research you did to solve this issue. I had similar issues showing up after adding several keys (must have passed the 6-key mark). IdentitiesOnly yes has fixed it.

    -A

    Reply
  2. bz0d

    You can also override your config on a one-time (one-off) basis by using
    ssh host -o “PubkeyAuthentication no”

    This can often be needed if you have a lot of keys and the account on host you’re connecting to uses an encrypted home directory or is a network home using authentication to the host to establish identity (which means the pubkey on the remote end isn’t available until after authentication – a regular chicken-or-egg-is-first issue/scenario for PKI..)

    Reply
  3. Martin Gogov

    Much appreciated, works like a charm: really useful when working with multiple servers, multiple keys and behind firewalls!

    Thanks for explaining the logic behind it, it’s great to know why stuff works.

    Cheers,
    Martin

    Reply
  4. Konrad Kiss

    Thank you for posting this. I think you just saved me some time and some hair. 🙂 Nice explanation about the core of the issue!

    Konrad

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *