SSH: the “Too many authentication failures” error and its solution

During an SSH connection, I started getting the “Too many authentication failures” error message from a remote host.

The error, and its cause

Actually, the root cause is simple: during establishing a new SSH connection, the local ssh-client first tries to use keys, that are loaded by the local ssh-agent, and only after that will use a key, that is specified with the -i option.

The error looks like the next:

ssh root@rtfm.ssh -i /home/setevoy/Dropbox/AWS/setevoy-do-nextcloud-production-d10–03–11Received disconnect from 139.59.205.180 port 22:2: Too many authentication failuresDisconnected from 139.59.205.180 port 22

To be sure, this is the cause, and the ssh client first uses keys from the ssh-agent, run the connection in the debug mode by adding the -v option:

ssh -v root@rtfm.co.ua -i /home/setevoy/AWS/setevoy-do-nextcloud-production-d10–03–11
…
debug1: Offering public key: /home/setevoy/Work/aws-credentials/jenkins-production-eu-west-1.pem RSA SHA256:19/1clohkik2LHC8pyIT0JxAz8/kbjEPhBT6UyxPBaw agent
debug1: Authentications that can continue: publickey
debug1: Offering public key: setevoy@setevoy-arch-work RSA SHA256:r90LWLY/HpQ/fRinmopKyXOGxrcy2ZPJp2ua7mvZFg4 agent
debug1: Authentications that can continue: publickey
debug1: Offering public key: Github setevoy2 SSH RSA SHA256:JxeiYfC236wtrdFuADpldciGT86RglAk0vRH7UDpaX8 agent
debug1: Authentications that can continue: publickey
debug1: Offering public key: /home/setevoy/Work/aws-credentials/mobilebackend-bastion-stage-us-east-2.pem RSA SHA256:SAdCEuO3MRMe+Jfo3310OBPDFbYhodlsBxiomF2THHw agent
debug1: Authentications that can continue: publickey
debug1: Offering public key: /home/setevoy/Work/aws-credentials/mobilebackend-stage-us-east-2.pem RSA SHA256:/MV7A6GRRYRMWyKWINy5xfFp94+2F90Pai3hLC3uFVQ agent
debug1: Authentications that can continue: publickey
debug1: Offering public key: /home/setevoy/Work/aws-credentials/bm-world-production.pem RSA SHA256:akVDdE5TwELN/RZ0ALgFphyAvRA4qiZUxItHoFTl0FY agent
Received disconnect from 139.59.205.180 port 22:2: Too many authentication failures
Disconnected from 139.59.205.180 port 22

And list keys, that are currently loaded by the agent:

$ ssh-add -l
2048 SHA256:19/1clohkik2LHC8pyIT0JxAz8/kbjEPhBT6UyxPBaw /home/setevoy/Work/aws-credentials/jenkins-production-eu-west-1.pem (RSA)
3072 SHA256:r90LWLY/HpQ/fRinmopKyXOGxrcy2ZPJp2ua7mvZFg4 setevoy@setevoy-arch-work (RSA)
3072 SHA256:JxeiYfC236wtrdFuADpldciGT86RglAk0vRH7UDpaX8 Github setevoy2 SSH (RSA)
2048 SHA256:SAdCEuO3MRMe+Jfo3310OBPDFbYhodlsBxiomF2THHw /home/setevoy/Work/aws-credentials/mobilebackend-bastion-stage-us-east-2.pem (RSA)
2048 SHA256:/MV7A6GRRYRMWyKWINy5xfFp94+2F90Pai3hLC3uFVQ /home/setevoy/Work/aws-credentials/mobilebackend-stage-us-east-2.pem (RSA)
2048 SHA256:akVDdE5TwELN/RZ0ALgFphyAvRA4qiZUxItHoFTl0FY /home/setevoy/Work/aws-credentials/bm-world-production.pem (RSA)
3072 SHA256:gxWQRigVqmX5uV9FRa4j8NnfOEKCQ8YtaEtX79PoRTM /home/setevoy/AWS/setevoy-do-nextcloud-production-d10–03–11 (RSA)

As we can see for the output above, the last key, which is the correct one for the current remote host, the setevoy-do-nextcloud-production-d10-03-11, is even does not reached as remote ssh-server begins rejecting new connections.

The solution

To avoid this, we can use the IdentitiesOnly option for the local ssh client with the "yes" value:

$ ssh -o IdentitiesOnly=yes root@rtfm.co.ua -i /home/setevoy/Dropbox/AWS/setevoy-do-nextcloud-production-d10–03–11
Linux rtfm-do-production-d10 4.19.0–12-cloud-amd64 #1 SMP Debian 4.19.152–1 (2020–10–18) x86_64
…
Last login: Sat Mar 12 14:17:55 2022 from 176.***.***.170
root@rtfm-do-production-d10:~#

To make it persistent, add the following to the ~/.ssh/config file:

Host * 
       	IdentitiesOnly=yes

Done.

Originally published at RTFM: Linux, DevOps, and system administration.