Background
Yesterday I ran into an issue while trying to ssh to one of my computers. I started getting this error, Too many authentication failures for root. At first I thought it has something to do with PAM or some sort of login detection protection related to /var/log/btmp (a log file maintaining bad login attempts). Turns out it was due in fact to ssh itself. Read on for the details!
Solution
This problem is caused by the SSH server limiting the number of public keys one can present to the server when trying to connect. By default it’s set to 6 via ths parameter in the server’s /etc/ssh/sshd_config file:
1 |
#MaxAuthTries 6
|
There are 4 ways to work around this:
Approach #1
Increase MaxAuthTries on the server (/etc/ssh/sshd_config). This is the least desirable way to fix this. This weakens the server to brute force attacks by allowing would be attackers to throw more keys at the server for a given connection attempt. How much it’s weakened is questionable but it does by some amount.
Approach #2
Specify which key pair to use for a given host. This makes use of the user’s ~/.ssh/config file by tying a host & key together. for example:
1 2 3 4 |
# ~/.ssh/config host foo hostname foo.example.com identifyfile /home/USER/.ssh/foo |
NOTE: the key pair in the above example would be foo and foo.pub!
Approach #3
Simply delete any unused key pairs and purge them from ssh-agent.
1 2 |
# delete all identifies (key pairs) from agent (memory) % ssh-add -D |
Approach #4
Again making use of the user’s ~/.ssh/config file, you can specify the option IdentitiesOnly and set it to yes like this:
1 2 |
# ~/.ssh/config IdentitiesOnly yes |
Followed by ssh-add -D to clear out any lingering identities.
According to the SSH man pages:
1 2 3 4 |
IdentitiesOnly Specifies that ssh(1) should only use the authentication identity files configured in the ssh_config files, even if ssh-agent(1) offers more identities. The argument to this keyword must be “yes” or “no”. This option is intended for situations where ssh-agent offers many different identities. The default is “no”. |
Conclusions
Of the above mentioned approaches I would probably make use of #2 or #4.
References
- Too many authentication failures for nx – Ubuntu Forum
- too many authentication failures for username – superuser.com
NOTE: For further details regarding my one-liner blog posts, check out my one-liner style guide primer.