Arseny Zinchenko
Posted on March 21, 2022
During an SSH connection, I started getting the “ Too many authentication failures ” error message from a remote host.
The error, and its cause
Actually, the root cause is simple: during establishing a new SSH connection, the local ssh-client first tries to use keys, that are loaded by the local ssh-agent
, and only after that will use a key, that is specified with the -i
option.
The error looks like the next:
ssh root@rtfm.ssh -i /home/setevoy/Dropbox/AWS/setevoy-do-nextcloud-production-d10–03–11Received disconnect from 139.59.205.180 port 22:2: Too many authentication failuresDisconnected from 139.59.205.180 port 22
To be sure, this is the cause, and the ssh client first uses keys from the ssh-agent
, run the connection in the debug mode by adding the -v
option:
ssh -v root@rtfm.co.ua -i /home/setevoy/AWS/setevoy-do-nextcloud-production-d10–03–11
…
debug1: Offering public key: /home/setevoy/Work/aws-credentials/jenkins-production-eu-west-1.pem RSA SHA256:19/1clohkik2LHC8pyIT0JxAz8/kbjEPhBT6UyxPBaw agent
debug1: Authentications that can continue: publickey
debug1: Offering public key: setevoy@setevoy-arch-work RSA SHA256:r90LWLY/HpQ/fRinmopKyXOGxrcy2ZPJp2ua7mvZFg4 agent
debug1: Authentications that can continue: publickey
debug1: Offering public key: Github setevoy2 SSH RSA SHA256:JxeiYfC236wtrdFuADpldciGT86RglAk0vRH7UDpaX8 agent
debug1: Authentications that can continue: publickey
debug1: Offering public key: /home/setevoy/Work/aws-credentials/mobilebackend-bastion-stage-us-east-2.pem RSA SHA256:SAdCEuO3MRMe+Jfo3310OBPDFbYhodlsBxiomF2THHw agent
debug1: Authentications that can continue: publickey
debug1: Offering public key: /home/setevoy/Work/aws-credentials/mobilebackend-stage-us-east-2.pem RSA SHA256:/MV7A6GRRYRMWyKWINy5xfFp94+2F90Pai3hLC3uFVQ agent
debug1: Authentications that can continue: publickey
debug1: Offering public key: /home/setevoy/Work/aws-credentials/bm-world-production.pem RSA SHA256:akVDdE5TwELN/RZ0ALgFphyAvRA4qiZUxItHoFTl0FY agent
Received disconnect from 139.59.205.180 port 22:2: Too many authentication failures
Disconnected from 139.59.205.180 port 22
And list keys, that are currently loaded by the agent:
$ ssh-add -l
2048 SHA256:19/1clohkik2LHC8pyIT0JxAz8/kbjEPhBT6UyxPBaw /home/setevoy/Work/aws-credentials/jenkins-production-eu-west-1.pem (RSA)
3072 SHA256:r90LWLY/HpQ/fRinmopKyXOGxrcy2ZPJp2ua7mvZFg4 setevoy@setevoy-arch-work (RSA)
3072 SHA256:JxeiYfC236wtrdFuADpldciGT86RglAk0vRH7UDpaX8 Github setevoy2 SSH (RSA)
2048 SHA256:SAdCEuO3MRMe+Jfo3310OBPDFbYhodlsBxiomF2THHw /home/setevoy/Work/aws-credentials/mobilebackend-bastion-stage-us-east-2.pem (RSA)
2048 SHA256:/MV7A6GRRYRMWyKWINy5xfFp94+2F90Pai3hLC3uFVQ /home/setevoy/Work/aws-credentials/mobilebackend-stage-us-east-2.pem (RSA)
2048 SHA256:akVDdE5TwELN/RZ0ALgFphyAvRA4qiZUxItHoFTl0FY /home/setevoy/Work/aws-credentials/bm-world-production.pem (RSA)
3072 SHA256:gxWQRigVqmX5uV9FRa4j8NnfOEKCQ8YtaEtX79PoRTM /home/setevoy/AWS/setevoy-do-nextcloud-production-d10–03–11 (RSA)
As we can see for the output above, the last key, which is the correct one for the current remote host, the setevoy-do-nextcloud-production-d10-03-11
, is even does not reached as remote ssh server begins rejecting new connections.
The solution
To avoid this, we can use the IdentitiesOnly
option for the local ssh client with the "yes" value:
$ ssh -o IdentitiesOnly=yes root@rtfm.co.ua -i /home/setevoy/Dropbox/AWS/setevoy-do-nextcloud-production-d10–03–11
Linux rtfm-do-production-d10 4.19.0–12-cloud-amd64 #1 SMP Debian 4.19.152–1 (2020–10–18) x86_64
…
Last login: Sat Mar 12 14:17:55 2022 from 176. ***.***.170
root@rtfm-do-production-d10:~#
To make it persistent, add the following to the ~/.ssh/config
file:
Host *
IdentitiesOnly=yes
Done.
Originally published at RTFM: Linux, DevOps, and system administration.
Posted on March 21, 2022
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.