“Too many authentication failures” is an error message that can occur when trying to connect to an SSH server.
It indicates that the client has attempted to authenticate with the server using too many incorrect authentication methods or keys, exceeding the server’s configured maximum.
Let’s dive into this.
When connecting to an SSH server, the client sends its available authentication methods to the server, such as password-based authentication or public key-based authentication.
The server responds with a list of acceptable authentication methods, and the client then attempts to authenticate using the methods in the order specified by the server.
If the client has several keys or authentication methods configured and tries to use them all in a row, but none of them is accepted by the server, the server may respond with a “Too many authentication failures” error message, indicating that the maximum number of attempts has been exceeded.
This is a security feature to prevent brute-force attacks on the server.
To resolve this error, the user can try to connect again, making sure to provide the correct credentials or limit the number of keys or authentication methods being attempted by the client.
Alternatively, the server administrator can increase the maximum number of authentication attempts allowed on the server.
This article will cover how to fix Too many authentication failures for usernames in 3 ways.
Table of Contents
Understanding Too many authentication failures
SSH servers are commonly set up to allow for a maximum number of attempted authentications before rejecting the attempt.
It will try all the available credentials (such as certificate, public key, and stored credentials).
This setting for ssh servers is called “MaxAuthTries”, and the default value is 6.
When attempting to connect to an SSH server, if we have not told our SSH client specifically which key to use with the server, it will attempt to use all of our keys (one at a time) until it finds one that works.
If the key we need to use for the server is attempted by our client after the MaxAuthTries as configured by the server, our client will never reach the correct key and will fail its authentication attempt.
Error example 1:
Received disconnect from 192.168.3.123 port 22:2: Too many authentication failures
Disconnected from 192.168.3.123 port 22
Error Example 2:
Too many authentication failures
Sep 19 16:21:24 ubuntu sshd[192635]: error: maximum authentication attempts exceeded for testfest from 192.168.6.124 port 54324 ssh2 []
Sep 19 16:21:24 ubuntu sshd[192635]: Disconnecting: Too many authentication failures []
Sep 19 16:21:48 ubuntu su[192609]: pam_unix(su:session): session closed for user testfest
Solution for Too many authentication failures
If you receive the error message “Too many authentication failures “, it means that you make too many failed login attempts to a server.
A failed login attempt could occur for a variety of reasons but the most common reason is incorrect credentials such as wrong password.
There are a few reasons why too many authentication failures might happen:
- The user’s username and password might not be correct.
- The user might be connecting to the wrong server.
- The key file is not correct.
- Add too many key files with ssh-add command
If you are still getting this error, check the following solutions.
- Use a Specific SSH Key for a Specific SSH Server
- Increase MaxAuthTries in SSH server
Use a Specific SSH Key for a Specific SSH Server in configuration file
To use a specific SSH key for a specific SSH server in the configuration file, you can follow these steps:
Open or create the SSH configuration file, located at ~/.ssh/config, using your preferred text editor.
Add a new section for the SSH server you want to connect to, using the following syntax:
Host <server_name> HostName <server_address> IdentityFile <path_to_private_key>
Replace <server_name> with the name you want to use for the SSH server, <server_address> with the IP address or domain name of the SSH server, and <path_to_private_key> with the path to the private key file you want to use.
Save the configuration file and close it.
You can now connect to the SSH server using the specific key you specified in the configuration file by running the ssh command
Use a Specific SSH Key in command line
The -i option in the SSH command is used to specify the identity (private key) file to be used for authentication.
By default, SSH looks for the private key in the user’s home directory with the filename id_rsa or id_dsa.
However, if the private key has a different filename or is located in a different directory, the -i option is used to specify the path to the private key file.
Example:
ssh -i ~/keyfile ip address
Increase MaxAuthTries in SSH
# vi /etc/ssh/sshd_config or (sudo vi /etc/ssh/sshd_config)
we will see the “MaxAuthTries 6” .
- Click “i” to enter the editing mode in the file.
- After modifying “MaxAuthTries” to 10, we can click on ”Esc” and type “:wq” to save and exit the file.
- Fire the command “service sshd restart” or “sudo service sshd restart” in order to apply changes made in the file.
More info about MaxAuthTries in SSH
The MaxAuthTries setting tells the ssh daemon how many different authentication attempts a user can try before it disconnects.
Each ssh key loaded into ssh-agent counts as one authentication attempt.
The default is 6 because many users have multiple ssh keys loaded into ssh-agent so that we can automatically log into different hosts that use different ssh keys.
After the ssh connection attempts all of our ssh keys and we haven’t run out of attempts and passwords are enabled we will eventually get a password prompt.