howtouselinux

3 Ways to fix SSH Too many authentication failures

Table of Contents

This article will cover how to fix Too many authentication failures for usernames in 3 ways.

Understanding Too many authentication failures

SSH servers are commonly set up to allow for a maximum number of attempted authentications before rejecting the attempt. It will try all the available credentials (such as certificate, public key, and stored credentials).

This setting for ssh servers is called “MaxAuthTries”, and the default value is 6. When attempting to connect to an SSH server, if we have not told our SSH client specifically which key to use with the server, it will attempt to use all of our keys (one at a time) until it finds one that works.

If the key we need to use for the server is attempted by our client after the MaxAuthTries as configured by the server, our client will never reach the correct key and will fail its authentication attempt.

Error example 1:
Received disconnect from 192.168.3.123 port 22:2: Too many authentication failures
Disconnected from 192.168.3.123 port 22

Error Example 2:
Too many authentication failures
Sep 19 16:21:24 ubuntu sshd[192635]: error: maximum authentication attempts exceeded for testfest from 192.168.6.124 port 54324 ssh2 []
Sep 19 16:21:24 ubuntu sshd[192635]: Disconnecting: Too many authentication failures []
Sep 19 16:21:48 ubuntu su[192609]: pam_unix(su:session): session closed for user testfest

 

Solution for Too many authentication failures

If you receive the error message “Too many authentication failures “, it means that you make too many failed login attempts to a server. A failed login attempt could occur for a variety of reasons but the most common reason is incorrect credentials such as wrong password.

There are a few reasons why too many authentication failures might happen:

  • The user’s username and password might not be correct.
  • The user might be connecting to the wrong server.
  • The user’s key file is not correct.

 

If you are still getting this error, check the following solutions.

  • Use a Specific SSH Key for a Specific SSH Server
  • Increase MaxAuthTries in SSH server

 

Understanding SSH known_hosts File with Examples

 

Use a Specific SSH Key for a Specific SSH Server in configuration file

Open our SSH configuration file in our favorite editor: vi ~/.ssh/config. At the bottom of the file, add the following information:

#
Host *.hostname
PreferredAuthentications publickey
IdentityFile ~/.ssh/ourkeyfile
Port 22

Use a Specific SSH Key in command line

we can use ssh -i keyfile ip or hostname to connect our server.

Example:
ssh -i ~/keyfile ip address

Increase MaxAuthTries in SSH

# vi /etc/ssh/sshd_config or (sudo vi /etc/ssh/sshd_config)

we will see the “MaxAuthTries 6” .

  • Click “i” to enter the editing mode in the file.
  • After modifying “MaxAuthTries” to 10, we can click on ”Esc” and type “:wq” to save and exit the file.
  • Fire the command “service sshd restart” or “sudo service sshd restart” in order to apply changes made in the file.

 

More info about MaxAuthTries in SSH

The MaxAuthTries setting tells the ssh daemon how many different authentication attempts a user can try before it disconnects. Each ssh key loaded into ssh-agent counts as one authentication attempt.

The default is 6 because many users have multiple ssh keys loaded into ssh-agent so that we can automatically log into different hosts that use different ssh keys. Trying more than one ssh key isn’t the same as thumb-fingering a password — ssh is designed to allow for multiple key attempts.

After the ssh connection attempts all of our ssh keys and we haven’t run out of attempts and passwords are enabled we will eventually get a password prompt.

Understanding SSH Key with Examples

David Cao
David Cao

Hey there! I am David, a Cloud & DevOps Enthusiast and 18 years of experience as a Linux engineer. I work with AWS, Git & GitHub, Linux, Python, Ansible, and Bash. I am a technical blogger and a Software Engineer, enjoy sharing my learning and contributing to open-source.