Too many authentication failures for *username*

Question

I have a hostgator account with ssh access enabled. When trying to upload the generated .pub key file with this command:

rsync -av -e "ssh -p2222" /home/user/.ssh/key.pub username@111.222.33.44:.ssh/authorized_keys

I keep getting:

Received disconnect from 111.222.33.44: 2: Too many authentication failures for username
rsync: connection unexpectedly closed (0 bytes received so far) [sender]
rsync error: unexplained error (code 255) at io.c(601) [sender=3.0.7]

I've been toying around previously with ssh until I got the auth failure. But now it seems that the auth failure counter does not reset (been waiting more than 12 hours now, tech support "supposes" it resets after 30 min to 1 hour, and another guy told me "it resets every time you try to login with the username", jeesh).

This is driving me nuts. I even had this set up in a Slicehost custom server and had fewer issues than with these guys.

Any tips? Perhaps it's something client side and not server side.

Answer 1

This is usually caused by inadvertently offering multiple ssh keys to the server. The server will reject any key after too many keys have been offered.

You can see this for yourself by adding the -v flag to your ssh command to get verbose output. You will see that a bunch of keys are offered, until the server rejects the connection saying: "Too many authentication failures for [user]". Without verbose mode, you will only see the ambiguous message "Connection reset by peer".

To prevent irrelevant keys from being offered, you have to explicitly specify this in every host entry in the ~/.ssh/config (on the client machine) file by adding IdentitiesOnly like so:

Host www.somehost.com
  IdentityFile ~/.ssh/key_for_somehost_rsa
  IdentitiesOnly yes
  Port 22

If you use the ssh-agent, it helps to run ssh-add -D to clear the identities.

If you are not using any ssh hosts configuration, you have to explicitly specify the correct key in the ssh command like so:

ssh -i some_id_rsa -o 'IdentitiesOnly yes' them@there:/path/

Note: the 'IdentitiesOnly yes' parameter needed to be between quotes.

or

ssh -i some_id_rsa -o IdentitiesOnly=yes them@there:/path/

Answer 2

I found an easier way to do this (if using password authentication):

ssh -o PubkeyAuthentication=no username@hostname.com

This forces non-key authentication. I was able to logon immediately.

Reference

Answer 3

I was getting this error too and found that it was happening b/c the server was configured to accept up to 6 tries:

/etc/ssh/sshd_config
...
...
#MaxAuthTries 6

In addition to setting the IdentitiesOnly yes in your ~/.ssh/config file you have a couple of other options.

1. Increase the MaxAuthTries (on the ssh server)
2. delete some of the key pairs you have present in your ~/.ssh/ directory & run ssh-add -D
3. explicitly link a key to a given host in your ~/.ssh/config file

Like so:

host foo
hostname foo.example.com
IdentityFile /home/YOU/.ssh/foo

1. Is probably not a good way to go about it, given it weakens your ssh server a bit since it'll now accept more keys in a given connection attempt. Think brute force attack vectors here.

2. Is a good way to go assuming you have keys that are not needed and can be permanently deleted.

3. And the approach of setting IdentitiesOnly are probably the preferred ways of dealing with this issue!

Answer 4

I added to ~/.ssh/config this:

Host *
IdentitiesOnly yes

It enables option IdentitiesOnly=yes by default. If you'll need to connect with private key, you should specify it with option -i

Answer 5

If you get the following SSH Error:

$ Received disconnect from host: 2: Too many authentication failures for root

This can happen if you have (default on my system) five or more DSA/RSA identity files stored in your .ssh directory and if the '-i' option isn't specified at the command line.

The ssh client will first attempt to login using each identity (private key) and next prompt for password authentication. However, sshd drops the connection after five bad login attempts (again default may vary).

If you have a number of private keys in your .ssh directory you can disable "Public Key Authentication" at the command line using the '-o' optional argument.

For example:

$ ssh -o PubkeyAuthentication=no root@host

Answer 6

If you have a password, and want to simply use the password to login, here is how you do it.

To use ONLY password authentication and NOT use Public-key, and NOT use the somewhat misleading "keyboard-interactive" (which is a superset including password), you can do this from the command line:

ssh -o PreferredAuthentications=password user@example.com

Answer 7

Going off @David saying, just add this IdentitiesOnly yes to your .ssh/config, it does the same thing as ssh -o PubkeyAuthentication=no.

After you logged in, remove .ssh/authorized_keys. Now, go back to the local machine and type the following

cat ~/.ssh/id_rsa.pub | ssh -o PubkeyAuthentication=no user@IP_ADDR 'cat >> .ssh/authorized_keys'. This should re-enable your ssh with public key

Answer 8

I know this is an old thread, but I just wanted to add in here that I ran into the same error message, but it was caused by the owner of the .ssh folder being root rather than the user that was using the key. I corrected the issue by running the following commands:

sudo chown -R user:user /home/user/.ssh

I also made sure the permissions were correct on the .ssh folder:

sudo chmod 700 /home/user/.ssh

The files within the .ssh directory should have the permission of 600:

sudo chmod 600 /home/user/.ssh/authorized_keys

Answer 9

In my case, the problem was directory permissions. This fixed it for me:

$ chmod 750 ~;chmod 700 ~/.ssh

Answer 10

Too many authentication failures

This message is caused by having too many failed authentication attempts given the permitted limits enforced on the remote SSH server. This potentially means that you've too many identities added in the SSH agent.

Here are few suggestions:

• Add -v to see if that's the case (you've using too many identities).
• List added identities by ssh-add -l.
• Remove failing identity from the agent by: ssh-add -d.
• You may also deletes all identities by ssh-add -D and re-add only relevant one.

• If you've access to SSH server, check the MaxAuthTries option (see: man sshd_config).

  ^{Related post: What is a connection for sshd_config's 'MaxAuthTries' limit?}

• If none of this help, make sure whether you're using the right credentials or file.

Answer 11

This was a fun one for me. Turns out I changed my password locally while in a localization mode different from a keyboard I was using to login remotely. This effectively made my password different from what I thought it was probably because one of my special characters was different from what the keyboard said it was.

Answer 12

I had my public key in .ssh/authorized_keys2, but the server was configured to read only .ssh/authorized_keys:

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys

After moving my file to .ssh/authorized_keys, I can log in successfully with my key.

Answer 13

Smart cards (aka PIV, CAC, PKCS #11, HSM, or Cryptoki) add an additional level of complexity to this.

As John T suggests, I added the -v verbose logging to my ssh command to find why my ssh was failing. Whether I put in -i ~/.ssh/myrsa.pem or -o 'IdentitiesOnly yes' or even -o 'CertificateFile ~/.ssh/myrsa.pem', I still got the "Too many authentication failures" error from the system because it was still insisting on using opensc-pkcs11.so to present the certificate from the smartcard, which is not recognized by my personal EC2 instance.

Removing the smartcard let it drop back to RSA authentication. But, as a better workaround, to keep the smartcard in the system and still have ssh work with my RSA key, I can pass
-o PKCS11Provider = PKCS_disabled
on the command lineto my ssh command, and it will override the global ssh default.

It's still a workaround, since it will try to open a .so file for PKCS, and give you the error
dlopen PKCS_disabled failed: PKCS_disabled: cannot open shared object file: No such file or directory
but that creates an understandable error that forces it to fall back to RSA without having to pull my smartcard in and out.

Answer 14

In my case, it was happening because I was using the username "ubuntu", but the username in this instance was "ec2-user"

After I did what "John T" suggested, I got this error:

Permission denied (publickey).

Then I found the solution (i.e. changing the username to "ec2-user") in this answer: https://stackoverflow.com/questions/1454629/aws-ssh-access-permission-denied-publickey-issue

Answer 15

This message can appear when the correct username and password is not entered.

First check that the user is listed:

vim /etc/passwd