SSH aborts with Too many authentication failures
Solution 1
According to an older* ssh-config(5)
man page, ssh will always try all keys known by the agent in addition to any Identity Files:
IdentitiesOnly
Specifies that ssh(1) should only use the authentication identity files
configured in the ssh_config files, even if ssh-agent(1) offers more
identities. The argument to this keyword must be “yes” or “no”. This
option is intended for situations where ssh-agent offers many different
identities. The default is “no”.
IdentityFile
Specifies a file from which the user's DSA, ECDSA or RSA authentication
identity is read. The default is ~/.ssh/identity for protocol version 1,
and ~/.ssh/id_dsa, ~/.ssh/id_ecdsa and ~/.ssh/id_rsa for protocol
version 2. Additionally, any identities represented by the
authentication agent will be used for authentication. ssh(1) will try
to load certificate information from the filename obtained by
appending -cert.pub to the path of a specified IdentityFile.
To prevent this, one must specify IdentitiesOnly=yes
in addition to the explicitly provided private key.
For example, running the ssh
command below:
$ ssh -i /home/henk/.vagrant.d/insecure_private_key \
[email protected] echo ok
produces:
Received disconnect from 192.168.222.111: 2: Too many authentication
failures for vagrant
However, running the same ssh
command and, in addition, specifying IdentitiesOnly=yes
:
$ ssh -o IdentitiesOnly=yes \
-i /home/henk/.vagrant.d/insecure_private_key [email protected] echo ok
produces:
ok
* Note: The OpenBSD project hosts up to date docs for IdentitiesOnly and IdentityFile. These include extra text for new features that do not change the essence of this answer.
Solution 2
So I had 5 keys in my ssh-agent
and despite the explicit option of using the vagrant ssh key it still insisted on looping through keys in my agent before reaching max_tries conveniently before getting to the right key.
To check you have this problem:
Run ssh-add -l
- if this list is > 5 you need to remove keys or disable the agent.
To fix:
Run ssh-add -d ~/.ssh/X
where X
is the key you want to remove.
Solution 3
After I tried all advises here without success, I recognized that my problem was the new authentication method (GSSAPI), which was always unsuccessful.
I solved this by editing ~/.ssh/config
file:
Host *
GSSAPIAuthentication no
Hope this helps somebody too.
Solution 4
To prevent failure from trying too many keys, we can ssh using -o 'IdentitiesOnly=yes'
e.g ssh -i privateKey -o 'IdentitiesOnly=yes' user@host
alternatively, we can add the following lines to ~/.ssh/config file
Host *
IdentitiesOnly yes
Solution 5
I ran into this same error while trying to run an ansible playbook. I ended up supplying the IdentitiesOnly ssh option using --ssh-extra-args
:
ansible-playbook -i ../.vagrant/provisioners/ansible/inventory/vagrant_ansible_inventory playbook.yml --ssh-extra-args="-o IdentitiesOnly=yes"
Related videos on Youtube
Comments
-
Ashley over 1 year
I'm attempting to run this simple provisioning script but I'm encountering errors when running
vagrant up
and thenvagrant provision
commands.I read that I needed to create a
/etc/ansible/hosts
file which I've done, populating it with:[vagrant] 192.168.222.111
My SSH config (some details removed):
Host default HostName 127.0.0.1 User vagrant Port 2222 UserKnownHostsFile /dev/null StrictHostKeyChecking no PasswordAuthentication no IdentityFile /Users/ashleyconnor/.vagrant.d/insecure_private_key IdentitiesOnly yes LogLevel FATAL Host server HostName XXX.XXX.XXX.XXX User ash PreferredAuthentications publickey IdentityFile ~/.ssh/ash_ovh Host deployer HostName XXX.XXX.XXX.XXX User deployer PreferredAuthentications publickey IdentityFile ~/.ssh/deployer_ovh Host bitbucket.org PreferredAuthentications publickey IdentityFile ~/.ssh/bitbucket Host github.com PreferredAuthentications publickey IdentityFile ~/.ssh/github Host staging HostName 192.168.56.10 User deployer PreferredAuthentications publickey IdentityFile ~/.ssh/id_rsa
The SSH output I'm receiving seems to churn through all my keys:
<192.168.222.111> ESTABLISH CONNECTION FOR USER: vagrant <192.168.222.111> REMOTE_MODULE setup <192.168.222.111> EXEC ['ssh', '-C', '-tt', '-vvv', '-o', 'ControlMaster=auto', '-o', 'ControlPersist=60s', '-o', 'ControlPath=/Users/ashleyconnor/.ansible/cp/ansible-ssh-%h-%p-%r', '-o', 'IdentityFile=/Users/ashleyconnor/.vagrant.d/insecure_private_key', '-o', 'KbdInteractiveAuthentication=no', '-o', 'PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey', '-o', 'PasswordAuthentication=no', '-o', 'User=vagrant', '-o', 'ConnectTimeout=10', '192.168.222.111', "/bin/sh -c 'mkdir -p $HOME/.ansible/tmp/ansible-tmp-1394317116.44-226619545527061 && chmod a+rx $HOME/.ansible/tmp/ansible-tmp-1394317116.44-226619545527061 && echo $HOME/.ansible/tmp/ansible-tmp-1394317116.44-226619545527061'"] fatal: [192.168.222.111] => SSH encountered an unknown error. The output was: OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011 debug1: Reading configuration data /Users/ashleyconnor/.ssh/config debug1: Reading configuration data /etc/ssh_config debug1: /etc/ssh_config line 20: Applying options for * debug1: /etc/ssh_config line 53: Applying options for * debug1: auto-mux: Trying existing master debug1: Control socket "/Users/ashleyconnor/.ansible/cp/ansible-ssh-192.168.222.111-22-vagrant" does not exist debug2: ssh_connect: needpriv 0 debug1: Connecting to 192.168.222.111 [192.168.222.111] port 22. debug2: fd 3 setting O_NONBLOCK debug1: fd 3 clearing O_NONBLOCK debug1: Connection established. debug3: timeout: 10000 ms remain after connect debug3: Incorrect RSA1 identifier debug3: Could not load "/Users/ashleyconnor/.vagrant.d/insecure_private_key" as a RSA1 public key debug1: identity file /Users/ashleyconnor/.vagrant.d/insecure_private_key type -1 debug1: identity file /Users/ashleyconnor/.vagrant.d/insecure_private_key-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.2 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.9p1 Debian-5ubuntu1 debug1: match: OpenSSH_5.9p1 Debian-5ubuntu1 pat OpenSSH_5* debug2: fd 3 setting O_NONBLOCK debug3: load_hostkeys: loading entries for host "192.168.222.111" from file "/Users/ashleyconnor/.ssh/known_hosts" debug3: load_hostkeys: found key type RSA in file /Users/ashleyconnor/.ssh/known_hosts:20 debug3: load_hostkeys: loaded 1 keys debug3: order_hostkeyalgs: prefer hostkeyalgs: [email protected],[email protected],ssh-rsa debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: [email protected],[email protected],ssh-rsa,[email protected],[email protected],ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected] debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected] debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: [email protected],zlib,none debug2: kex_parse_kexinit: [email protected],zlib,none debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256 debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected] debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected] debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,[email protected] debug2: kex_parse_kexinit: none,[email protected] debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: found hmac-md5 debug1: kex: server->client aes128-ctr hmac-md5 [email protected] debug2: mac_setup: found hmac-md5 debug1: kex: client->server aes128-ctr hmac-md5 [email protected] debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug2: dh_gen_key: priv key bits set: 119/256 debug2: bits set: 527/1024 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Server host key: RSA 50:db:75:ba:11:2f:43:c9:ab:14:40:6d:7f:a1:ee:e3 debug3: load_hostkeys: loading entries for host "192.168.222.111" from file "/Users/ashleyconnor/.ssh/known_hosts" debug3: load_hostkeys: found key type RSA in file /Users/ashleyconnor/.ssh/known_hosts:20 debug3: load_hostkeys: loaded 1 keys debug1: Host '192.168.222.111' is known and matches the RSA host key. debug1: Found key in /Users/ashleyconnor/.ssh/known_hosts:20 debug2: bits set: 511/1024 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /Users/ashleyconnor/.ssh/id_rsa (0x7fc212600540), debug2: key: /Users/ashleyconnor/.ssh/bitbucket (0x7fc212600730), debug2: key: /Users/ashleyconnor/.ssh/deployer (0x7fc212600a00), debug2: key: /Users/ashleyconnor/.ssh/github (0x7fc212600c80), debug2: key: /Users/ashleyconnor/.ssh/ash_ovh (0x7fc212601010), debug2: key: /Users/ashleyconnor/.ssh/deployer_ovh (0x7fc2126011e0), debug2: key: /Users/ashleyconnor/.vagrant.d/insecure_private_key (0x0), explicit debug1: Authentications that can continue: publickey,password debug3: start over, passed a different list publickey,password debug3: preferred gssapi-with-mic,gssapi-keyex,hostbased,publickey debug3: authmethod_lookup publickey debug3: remaining preferred: ,gssapi-keyex,hostbased,publickey debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering RSA public key: /Users/ashleyconnor/.ssh/id_rsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: Authentications that can continue: publickey,password debug1: Offering RSA public key: /Users/ashleyconnor/.ssh/bitbucket debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: Authentications that can continue: publickey,password debug1: Offering RSA public key: /Users/ashleyconnor/.ssh/deployer debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: Authentications that can continue: publickey,password debug1: Offering RSA public key: /Users/ashleyconnor/.ssh/github debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: Authentications that can continue: publickey,password debug1: Offering RSA public key: /Users/ashleyconnor/.ssh/ash_ovh debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: Authentications that can continue: publickey,password debug1: Offering RSA public key: /Users/ashleyconnor/.ssh/deployer_ovh debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply Received disconnect from 192.168.222.111: 2: Too many authentication failures for vagrant
The
vagrant ssh
command works fine.-
Carlo Piovesan almost 10 yearsPossible Duplicate: serverfault.com/questions/139870/…
-
Ashley almost 10 yearsSlightly different. Vagrant injects it's key when you run
vagrant ssh
and this question involved only keyless authentication. -
Brett Lykins almost 7 yearsAdding a note for other people Googling this. Cisco Nexus switches suffer from this same problem. Solved in the same way as pointed out by @HenkLangeveld below:
IdentitiesOnly=yes
-
-
Ashley about 10 yearsI originally copied the config from
vagrant ssh-config
but I checked again and it's identical. I can alsocat /Users/ashleyconnor/.vagrant.d/insecure_private_key
and have adequate permissions. -
Carlo Piovesan about 10 yearsMake sure noone else can read or write the file.
-
Carlo Piovesan about 10 yearsDoes the remote host have a user
vagrant
? -
Ashley about 10 yearsYes. When I run
vagrant ssh
it connects as user vagrant -
Carlo Piovesan about 10 yearsHow does vagrant ssh connect to your remote host?
-
Carlo Piovesan about 10 years
-
Carlo Piovesan about 10 yearsAfter installing the mazer-rackham repo and with this information I could reproduce your problem and I've added an alternative: Make sure that the vagrant key is known by the agent.
-
Ashley about 10 yearsI added it to the agent but still had to remove keys. Maybe the order you add to the agent matters? EDIT: Just read your edit.
-
Carlo Piovesan about 10 yearsEdit: Removed incorrect assumption about needing to add the vagrant key to the agent. This reduces the answer to its essence. Let's see if we can find a duplicate...
-
rubo77 almost 10 yearsI have the same problem, but I don't understand how you fixed this? I cannot remove any of the keys from my
~/.ssh/
folder, I need then -
Ashley almost 10 yearsYou are not removing the keys from your
~.ssh
folder - you are removing the keys from thessh-agent daemon
. You can always add them back later. See here for more info. -
Robert Siemer over 9 yearsThis seems to make up one slot at least! My setup with 5 keys via ssh-agent works again. I guess it will fail with 6 keys, though...
-
davil about 8 yearsThanks for the explanation! When using a
.ssh/config
file, the syntax isIdentitiesOnly yes
in the appropriateHost
sections. -
Carlo Piovesan about 8 yearsCorrect,
ssh -o Option=Value
becomesOption Value
in the config file. -
RollRoll over 6 yearsforgive if the question is too basic but, is "IdentitiesOnly=yes" on the server side or an argument to pass from client? It looks like the second..
-
Carlo Piovesan over 6 years@ThePoet Indeed, mentioned it as an
ssh
client option. -
Mast over 3 yearsHow is this related to the original question?
-
Benargee over 3 yearsYou're right, this is only semi related.