Too many authentication failures for *username*

264

116

I have a hostgator account with ssh access enabled. When trying to upload the generated .pub key file with this command:

rsync -av -e "ssh -p2222" /home/user/.ssh/key.pub username@111.222.33.44:.ssh/authorized_keys

I keep getting:

Received disconnect from 111.222.33.44: 2: Too many authentication failures for username
rsync: connection unexpectedly closed (0 bytes received so far) [sender]
rsync error: unexplained error (code 255) at io.c(601) [sender=3.0.7]

I've been toying around previously with ssh until I got the auth failure. But now it seems that the auth failure counter does not reset (been waiting more than 12 hours now, tech support "supposes" it resets after 30 min to 1 hour, and another guy told me "it resets every time you try to login with the username", jeesh).

This is driving me nuts. I even had this set up in a Slicehost custom server and had fewer issues than with these guys.

Any tips? Perhaps it's something client side and not server side.

Gabriel A. Zorrilla

Posted 2010-09-12T17:14:13.157

Reputation: 3 245

In my case there wa an mistake in generating the key. I generated a key and I missed to mention the source adress and used username at the end of the key. – reporter – 2019-08-29T12:49:38.287

Answers

423

This is usually caused by inadvertently offering multiple ssh keys to the server. The server will reject any key after too many keys have been offered.

You can see this for yourself by adding the -v flag to your ssh command to get verbose output. You will see that a bunch of keys are offered, until the server rejects the connection saying: "Too many authentication failures for [user]". Without verbose mode, you will only see the ambiguous message "Connection reset by peer".

To prevent irrelevant keys from being offered, you have to explicitly specify this in every host entry in the ~/.ssh/config (on the client machine) file by adding IdentitiesOnly like so:

Host www.somehost.com
  IdentityFile ~/.ssh/key_for_somehost_rsa
  IdentitiesOnly yes
  Port 22

If you use the ssh-agent, it helps to run ssh-add -D to clear the identities.

If you are not using any ssh hosts configuration, you have to explicitly specify the correct key in the ssh command like so:

ssh -i some_id_rsa -o 'IdentitiesOnly yes' them@there:/path/

Note: the 'IdentitiesOnly yes' parameter needed to be between quotes.

ssh -i some_id_rsa -o IdentitiesOnly=yes them@there:/path/

John T

Posted 2010-09-12T17:14:13.157

Reputation: 149 037

it can be used without quotes, like this: -o IdentitiesOnly=yes – Valentin Kantor – 2014-07-04T13:28:14.123

Why can't we just can we just tell the SSH daemon via sshd_config to accept more keys? – Kaz – 2015-12-07T20:36:19.607

In my case it was sending public key I use for my different git repositories, while ssh doesn't use public key authentication. I had to add PubkeyAuthentication no in the config entry for the host. When not using .ssh/config, the following command line option will do it http://superuser.com/a/404460/15894

– chmike – 2016-08-29T11:08:20.767

This explains why my older server that didn't support ssh-ed25519 was rejecting my login that provided two public keys (a legacy rsa and an ed25519), but the fix was different: my ssh_config had MaxAuthTries set to 1, but each key counts against that during a login, so it was failing after receiving the unsupported ed25519 and logging the too-many-failures message. Raising MaxAuthTries to 2 fixed it. – Marco – 2017-01-07T20:37:46.903

2The question remains: why does ssh "offer multiple keys" (anything under ~/.ssh) even when the rule for host has an explicit IdentityFile /path/to/private_key_file setting. Shouldn't this explicitly specified key be (at the very least) offered first? Isn't this a bug/misfeature in the openssh client? – arielf – 2017-01-26T00:33:38.830

Whew, I thought my ssh was being brute forced :| – Captain Hypertext – 2017-05-25T15:53:13.713

Thanks for the ssh-add -D this solved my issue – Maksim Luzik – 2018-08-06T12:44:06.027

2But shouldn't it use the key specified with the IdentityFile option? For example, without the IdentitiesOnly option, it tries to use my github key when I try to ssh gitlab.com. It makes no sense. – Iulian Onofrei – 2018-10-08T14:57:28.113

5it is not clear to me where to put this line. On the server that I am trying to log in to, .ssh/config only has information for other servers. Do you mean that this should go in the .ssh/config file on the computer I am trying to ssh from? If so, this is unclear because your answer says "once you are logged back in ..." – David LeBauer – 2012-06-07T17:39:43.017

2I have to put the option in double quotes, like this: ssh -i some_id_rsa -o "IdentitiesOnly yes" them@there:/path/ – knb – 2013-04-23T09:22:46.743

1Windows users running PAGENT (Putty Agent), check to ensure you only have the keys you need loaded. I ran into this issue after accidentally loading ALL my private keys. – Chris Rasco – 2013-11-19T22:41:57.357

However, for sshfs (fuse) I have to write the option with an obligatory equals sign, like this: sshfs -o "IdentitiesOnly=yes" -o IdentityFile=~/.ssh/id_dsa them@there/var/tmp /mnt/tmp (Ubuntu 13.10) – knb – 2014-01-17T11:42:34.470

195

I found an easier way to do this (if using password authentication):

ssh -o PubkeyAuthentication=no username@hostname.com

This forces non-key authentication. I was able to logon immediately.

Reference

Ben West

Posted 2010-09-12T17:14:13.157

Reputation: 2 266

1And to use that with rsync: rsync -av -e 'ssh -o PubkeyAuthentication=no' 'user@host.com:~/remote_file' 'local_file' – Ciro Santilli 新疆改造中心法轮功六四事件 – 2016-03-09T17:03:20.583

2You can also create an Alias to make it even quicker for password auth. alias sshp='ssh -o PubkeyAuthentication=no ' – dhempler – 2017-04-27T14:59:25.397

3+1, wish i could give you more. Raspberry Pi is the only device I ssh into without public key. Was getting: "Too many authentication failures for pi" – blak3r – 2013-12-22T07:05:39.843

I was getting this error too and found that it was happening b/c the server was configured to accept up to 6 tries:

/etc/ssh/sshd_config
...
...
#MaxAuthTries 6

In addition to setting the IdentitiesOnly yes in your ~/.ssh/config file you have a couple of other options.

Increase the MaxAuthTries (on the ssh server)
delete some of the key pairs you have present in your ~/.ssh/ directory & run ssh-add -D
explicitly link a key to a given host in your ~/.ssh/config file

Like so:

host foo
hostname foo.example.com
IdentityFile /home/YOU/.ssh/foo

Is probably not a good way to go about it, given it weakens your ssh server a bit since it'll now accept more keys in a given connection attempt. Think brute force attack vectors here.
Is a good way to go assuming you have keys that are not needed and can be permanently deleted.
And the approach of setting IdentitiesOnly are probably the preferred ways of dealing with this issue!

slm

Posted 2010-09-12T17:14:13.157

Reputation: 7 449

In your last line you have identifyfile /home/YOU/.ssh/foo but it should be identityfile (a t not an f) – Nin – 2014-09-26T10:05:33.203

I added to ~/.ssh/config this:

Host *
IdentitiesOnly yes

It enables option IdentitiesOnly=yes by default. If you'll need to connect with private key, you should specify it with option -i

Евгений Шаповалов

Posted 2010-09-12T17:14:13.157

Reputation: 71

If you get the following SSH Error:

$ Received disconnect from host: 2: Too many authentication failures for root

This can happen if you have (default on my system) five or more DSA/RSA identity files stored in your .ssh directory and if the '-i' option isn't specified at the command line.

The ssh client will first attempt to login using each identity (private key) and next prompt for password authentication. However, sshd drops the connection after five bad login attempts (again default may vary).

If you have a number of private keys in your .ssh directory you can disable "Public Key Authentication" at the command line using the '-o' optional argument.

For example:

$ ssh -o PubkeyAuthentication=no root@host

Will Verna

Posted 2010-09-12T17:14:13.157

Reputation: 61

This was exactly what was happening to me! Thanks a lot for the explanation ;) – El Ninja Trepador – 2016-10-04T13:59:55.933

If you have a password, and want to simply use the password to login, here is how you do it.

To use ONLY password authentication and NOT use Public-key, and NOT use the somewhat misleading "keyboard-interactive" (which is a superset including password), you can do this from the command line:

ssh -o PreferredAuthentications=password user@example.com

Greg Rundlett

Posted 2010-09-12T17:14:13.157

Reputation: 309

Going off @David saying, just add this IdentitiesOnly yes to your .ssh/config, it does the same thing as ssh -o PubkeyAuthentication=no.

After you logged in, remove .ssh/authorized_keys. Now, go back to the local machine and type the following

cat ~/.ssh/id_rsa.pub | ssh -o PubkeyAuthentication=no user@IP_ADDR 'cat >> .ssh/authorized_keys'. This should re-enable your ssh with public key

Alan Dong

Posted 2010-09-12T17:14:13.157

Reputation: 173

I know this is an old thread, but I just wanted to add in here that I ran into the same error message, but it was caused by the owner of the .ssh folder being root rather than the user that was using the key. I corrected the issue by running the following commands:

sudo chown -R user:user /home/user/.ssh

I also made sure the permissions were correct on the .ssh folder:

sudo chmod 700 /home/user/.ssh

The files within the .ssh directory should have the permission of 600:

sudo chmod 600 /home/user/.ssh/authorized_keys

Adam

Posted 2010-09-12T17:14:13.157

Reputation: 21

I would be careful with using this without a caveat.

SSH key permissions are usually restricted to 400 for some keys, particular AWS. Attempting to set them above that will result in the key not being accepted, and that can lock you out of your AWS account. – Michael Ryan Soileau – 2017-03-09T18:35:16.553

In my case, the problem was directory permissions. This fixed it for me:

$ chmod 750 ~;chmod 700 ~/.ssh

tbc0

Posted 2010-09-12T17:14:13.157

Reputation: 259

I had my public key in .ssh/authorized_keys2, but the server was configured to read only .ssh/authorized_keys:

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys

After moving my file to .ssh/authorized_keys, I can log in successfully with my key.

Benedikt Köppel

Posted 2010-09-12T17:14:13.157

Reputation: 584

Too many authentication failures

This message is caused by having too many failed authentication attempts given the permitted limits enforced on the remote SSH server. This potentially means that you've too many identities added in the SSH agent.

Here are few suggestions:

Add -v to see if that's the case (you've using too many identities).
List added identities by ssh-add -l.
Remove failing identity from the agent by: ssh-add -d.
You may also deletes all identities by ssh-add -D and re-add only relevant one.
If you've access to SSH server, check the MaxAuthTries option (see: man sshd_config).

^{Related post: What is a connection for sshd_config's 'MaxAuthTries' limit?}
If none of this help, make sure whether you're using the right credentials or file.

kenorb

Posted 2010-09-12T17:14:13.157

Reputation: 16 795

This was a fun one for me. Turns out I changed my password locally while in a localization mode different from a keyboard I was using to login remotely. This effectively made my password different from what I thought it was probably because one of my special characters was different from what the keyboard said it was.

ekeyser

Posted 2010-09-12T17:14:13.157

Reputation: 151

In my case, it was happening because I was using the username "ubuntu", but the username in this instance was "ec2-user"

After I did what "John T" suggested, I got this error:

Permission denied (publickey).

Then I found the solution (i.e. changing the username to "ec2-user") in this answer: https://stackoverflow.com/questions/1454629/aws-ssh-access-permission-denied-publickey-issue

Deepak Joy

Posted 2010-09-12T17:14:13.157

Reputation: 101

-1

This message can appear when the correct username and password is not entered.

First check that the user is listed:

vim /etc/passwd

Matoeil

Posted 2010-09-12T17:14:13.157

Reputation: 119