Too many authentication failures for *username*
This is usually caused by inadvertently offering multiple ssh keys to the server. The server will reject any key after too many keys have been offered.
You can see this for yourself by adding the -v
flag to your ssh
command to get verbose output. You will see that a bunch of keys are offered, until the server rejects the connection saying: "Too many authentication failures for [user]". Without verbose mode, you will only see the ambiguous message "Connection reset by peer".
To prevent irrelevant keys from being offered, you have to explicitly specify this in every host entry in the ~/.ssh/config
(on the client machine) file by adding IdentitiesOnly
like so:
Host www.somehost.com
IdentityFile ~/.ssh/key_for_somehost_rsa
IdentitiesOnly yes
Port 22
If you use the ssh-agent, it helps to run ssh-add -D
to clear the identities.
If you are not using any ssh hosts configuration, you have to explicitly specify the correct key in the ssh
command like so:
ssh -i some_id_rsa -o 'IdentitiesOnly yes' them@there:/path/
Note: the 'IdentitiesOnly yes' parameter needed to be between quotes.
or
ssh -i some_id_rsa -o IdentitiesOnly=yes them@there:/path/
I found an easier way to do this (if using password authentication):
ssh -o PubkeyAuthentication=no [email protected]
This forces non-key authentication. I was able to logon immediately.
Reference
I was getting this error too and found that it was happening b/c the server was configured to accept up to 6 tries:
/etc/ssh/sshd_config
...
...
#MaxAuthTries 6
In addition to setting the IdentitiesOnly yes
in your ~/.ssh/config
file you have a couple of other options.
- Increase the
MaxAuthTries
(on the ssh server) - delete some of the key pairs you have present in your
~/.ssh/
directory & runssh-add -D
- explicitly link a key to a given host in your
~/.ssh/config
file
Like so:
host foo
hostname foo.example.com
IdentityFile /home/YOU/.ssh/foo
Is probably not a good way to go about it, given it weakens your ssh server a bit since it'll now accept more keys in a given connection attempt. Think brute force attack vectors here.
Is a good way to go assuming you have keys that are not needed and can be permanently deleted.
And the approach of setting IdentitiesOnly are probably the preferred ways of dealing with this issue!