SSH - Too Many Authentication Failures
How to recover from "Too many Authentication Failures for user root"
I've done several attempts to establish SSH-connecton for user root@host using putty terminal. While doing so I specified wrong credentials several times and after that I've specified them correctly, and then after the credentials were accepted the ssh session breaks with
"Server unexpectedly closed network connection".
This error is reported by putty terminal. When trying to ssh root@localhost from the local console - it works fine. It also works fine when I ssh otheruser@host from other host. So network connectivity issues are not guilty. The only error I am thinking of is: Too many Authentication Failures for user root although putty reported a different error.
How Fix Too many Authentication Failures for user
This is usually caused by inadvertently offering multiple ssh keys to the server. The server will reject any key after too many keys have been offered. How many time ssh client can try establish connection with different keys or username/passord is defined by the MaxAuthTries setting in /etc/ssh/sshd_config. I have configure MaxAuthTries 2
You can see this for yourself by adding the -v flag to your ssh command to get verbose output. You will see that a bunch of keys are offered, until the server rejects the connection saying: Too many authentication failures for [user]. Without verbose mode, you will only see the ambiguous message Connection reset by peer.
$ ssh -v root@192.168.89.181
OpenSSH_7.4p1 Debian-10+deb9u6, OpenSSL 1.0.2r 26 Feb 2019
...
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:uJ5jgxD4qzfAHzP26U0HQpFS0x1FrQ9TCp4Qn7VaGNk /c/Users/root/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /c/Users/root/.ssh/id_dsa
debug1: Offering public key: ECDSA SHA256:h1V2BAfnynPUZZF6uK92krYeHMNcQJJbP3/2jM1n1MY /c/Users/root/.ssh/id_ecdsa
Received disconnect from 192.168.89.181 port 22:2: Too many authentication failures for root from 192.168.2.48 port 23315 ssh2
Disconnected from 192.168.89.181 port 22
Solution 1 (Quick Solution)
If you have a username/password, and want to simply use the password to login, here is how you do it.
To use ONLY password authentication and NOT use Public-key, and NOT use the somewhat misleading "keyboard-interactive" (which is a superset including password), you can do this from the command line:
$ ssh -o PreferredAuthentications=password user@example.com
Solution 2
If you have a number of private keys in your .ssh directory you can disable "Public Key Authentication" at the command line using the '-o' optional argument. It's very similar as in Solution 1
$ ssh -o PubkeyAuthentication=no root@example.com
Solution 3
From manual pages for ssh - man ssh:
-i identity_file
Selects a file from which the identity (private key) for public key authentication is read. The default is ~/.ssh/identity for protocol version 1, and ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, ~/.ssh/id_ed25519 and
~/.ssh/id_rsa for protocol version 2. Identity files may also be specified on a per-host basis in the configuration file. It is possible to have multiple -i options (and multiple identities specified in configura‐
tion files). ssh will also try to load certificate information from the filename obtained by appending -cert.pub to identity filenames.
You can exactly specify what identity key you want use:
$ ssh -o IdentitiesOnly=yes -i ~/.ssh/example_rsa example.com
Solution 4
Specifiy, explicitly, which key goes to which host(s) in your .ssh/config file.
You need to configure which key ("IdentityFile") goes with which domain (or host). You also want to handle the case when the specified key doesn’t work, which would usually be because the public key isn’t in ~/.ssh/authorized_keys on the server. The default is for SSH to then try any other keys it has access to, which takes us back to too many attempts. Setting "IdentitiesOnly" to "yes" tells SSH to only try the specified key and, if that fails, fall through to password authentication (presuming the server allows it).
Your ~/.ssh/config would look like:
Host *.myhost.com
IdentitiesOnly yes
IdentityFile ~/.ssh/myhost
Host secure.myhost.com
IdentitiesOnly yes
IdentityFile ~/.ssh/mysecurehost_rsa
Host *.myotherhost.domain
IdentitiesOnly yes
IdentityFile ~/.ssh/myotherhost_rsa
Host is the host the key can connect to IdentitiesOnly means only to try this specific key to connect, no others IdentityFile is the path to the key.
You can try multiple keys if needed
Host *.myhost.com
IdentitiesOnly yes
IdentityFile ~/.ssh/myhost_rsa
IdentityFile ~/.ssh/myhost_dsa
