SSH - Too Many Authentication Failures

How to recover from “Too many Authentication Failures for user root”

I’ve done several attempts to establish SSH-connecton for user root@host using putty terminal. While doing so I specified wrong credentials several times and after that I’ve specified them correctly, and then after the credentials were accepted the ssh session breaks with

"Server unexpectedly closed network connection".

This error is reported by putty terminal. When trying to ssh root@localhost from the local console - it works fine. It also works fine when I ssh otheruser@host from other host. So network connectivity issues are not guilty. The only error I am thinking of is: Too many Authentication Failures for user root although putty reported a different error.

How Fix Too many Authentication Failures for user

This is usually caused by inadvertently offering multiple ssh keys to the server. The server will reject any key after too many keys have been offered. How many time ssh client can try establish connection with different keys or username/passord is defined by the MaxAuthTries setting in /etc/ssh/sshd_config. I have configure MaxAuthTries 2

You can see this for yourself by adding the -v flag to your ssh command to get verbose output. You will see that a bunch of keys are offered, until the server rejects the connection saying: Too many authentication failures for [user]. Without verbose mode, you will only see the ambiguous message Connection reset by peer.

Solution 2

If you have a number of private keys in your .ssh directory you can disable “Public Key Authentication” at the command line using the ‘-o’ optional argument. It’s very similar as in Solution 1

Solution 4

Specifiy, explicitly, which key goes to which host(s) in your .ssh/config file.

You need to configure which key (“IdentityFile”) goes with which domain (or host). You also want to handle the case when the specified key doesn’t work, which would usually be because the public key isn’t in ~/.ssh/authorized_keys on the server. The default is for SSH to then try any other keys it has access to, which takes us back to too many attempts. Setting “IdentitiesOnly” to “yes” tells SSH to only try the specified key and, if that fails, fall through to password authentication (presuming the server allows it).

Host *.myhost.com
IdentitiesOnly yes
IdentityFile ~/.ssh/myhost
Host secure.myhost.com
IdentitiesOnly yes
IdentityFile ~/.ssh/mysecurehost_rsa
Host *.myotherhost.domain
IdentitiesOnly yes
IdentityFile ~/.ssh/myotherhost_rsa
You can try multiple keys if needed

Host *.myhost.com IdentitiesOnly yes IdentityFile ~/.ssh/myhost_rsa IdentityFile ~/.ssh/myhost_dsa `