[one-liner]: Working around the SSH error message: Too many authentication failures for root

Posted on June 8, 2011 by News

Background

Yesterday I ran into an issue while trying to ssh to one of my computers. I started getting this error, Too many authentication failures for root. At first I thought it has something to do with PAM or some sort of login detection protection related to /var/log/btmp (a log file maintaining bad login attempts). Turns out it was due in fact to ssh itself. Read on for the details!

Solution

This problem is caused by the SSH server limiting the number of public keys one can present to the server when trying to connect. By default it’s set to 6 via ths parameter in the server’s /etc/ssh/sshd_config file:

1

#MaxAuthTries 6

There are 4 ways to work around this:

Approach #1

Increase MaxAuthTries on the server (/etc/ssh/sshd_config). This is the least desirable way to fix this. This weakens the server to brute force attacks by allowing would be attackers to throw more keys at the server for a given connection attempt. How much it’s weakened is questionable but it does by some amount.

Approach #2

Specify which key pair to use for a given host. This makes use of the user’s ~/.ssh/config file by tying a host & key together. for example:

1
2
3
4

# ~/.ssh/config
host foo
  hostname foo.example.com
  identifyfile /home/USER/.ssh/foo

NOTE: the key pair in the above example would be foo and foo.pub!

Approach #3

Simply delete any unused key pairs and purge them from ssh-agent.

1
2

# delete all identifies (key pairs) from agent (memory)
% ssh-add -D
Approach #4

Again making use of the user’s ~/.ssh/config file, you can specify the option IdentitiesOnly and set it to yes like this:

1
2

# ~/.ssh/config
IdentitiesOnly yes

Followed by ssh-add -D to clear out any lingering identities.

According to the SSH man pages:

1
2
3
4

IdentitiesOnly
     Specifies that ssh(1) should only use the authentication identity files configured in the ssh_config files, even if
     ssh-agent(1) offers more identities.  The argument to this keyword must be “yes” or “no”.  This option is intended
     for situations where ssh-agent offers many different identities.  The default is “no”.

Conclusions

Of the above mentioned approaches I would probably make use of #2 or #4.

References

NOTE: For further details regarding my one-liner blog posts, check out my one-liner style guide primer.

This entry was posted in linux, one-liner, Security, shell, ssh, Syndicated, sysadmin, tip, tips & tricks. Bookmark the permalink.

Comments are closed.