Introduction

SSH servers enforce a MaxAuthTries limit (default 6) to protect against brute force password attacks. When this limit is exceeded, the server disconnects with Received disconnect: Too many authentication failures. This can affect legitimate users who have multiple SSH keys loaded in their agent, as each key counts as one authentication attempt. Users with 10+ keys in their agent may exhaust the limit before their correct key is tried.

Symptoms

  • ssh user@host disconnects with Received disconnect from X port 22: 2: Too many authentication failures for user
  • Authentication failed. after several key offers
  • ssh -v shows multiple Offering public key: lines before disconnect
  • Connection works with ssh -o IdentitiesOnly=yes but not without it
  • Server log shows maximum authentication attempts exceeded

Common Causes

  • SSH agent has many keys loaded, each counting toward MaxAuthTries
  • MaxAuthTries set very low (e.g., 3) by security hardening
  • User's correct key is not the first one tried by the SSH client
  • Fail2ban or similar tools reducing effective attempt count
  • Multiple SSH keys added via ssh-add over time without cleanup

Step-by-Step Fix

  1. 1.Check which keys are being offered:
  2. 2.```bash
  3. 3.ssh -v user@host 2>&1 | grep "Offering public key"
  4. 4.# Count the number of keys being offered before your correct one
  5. 5.`
  6. 6.Connect with only the specific key:
  7. 7.```bash
  8. 8.ssh -o IdentitiesOnly=yes -i ~/.ssh/id_ed25519_correct user@host
  9. 9.# This prevents the agent from offering all its keys
  10. 10.`
  11. 11.Clean up the SSH agent:
  12. 12.```bash
  13. 13.# List all loaded keys
  14. 14.ssh-add -l
  15. 15.# Remove all keys
  16. 16.ssh-add -D
  17. 17.# Add only the key you need
  18. 18.ssh-add ~/.ssh/id_ed25519_correct
  19. 19.`
  20. 20.Configure SSH to prefer specific keys per host:
  21. 21.```bash
  22. 22.# In ~/.ssh/config:
  23. 23.Host production
  24. 24.HostName prod.example.com
  25. 25.User deploy
  26. 26.IdentityFile ~/.ssh/prod_key
  27. 27.IdentitiesOnly yes
  28. 28.`
  29. 29.Adjust MaxAuthTries on the server if appropriate:
  30. 30.```bash
  31. 31.sudo nano /etc/ssh/sshd_config
  32. 32.# Change from default 6 to a higher value if needed
  33. 33.MaxAuthTries 10
  34. 34.sudo systemctl restart sshd
  35. 35.# Note: Lower values are more secure against brute force
  36. 36.`
  37. 37.Configure server-side key-only authentication to reduce attempts:
  38. 38.```bash
  39. 39.sudo nano /etc/ssh/sshd_config
  40. 40.# Disable password authentication entirely
  41. 41.PasswordAuthentication no
  42. 42.PubkeyAuthentication yes
  43. 43.sudo systemctl restart sshd
  44. 44.`

Prevention

  • Use IdentitiesOnly yes in SSH config for all production hosts
  • Keep the SSH agent clean - remove keys that are no longer needed
  • Use SSH certificates instead of individual keys for large key inventories
  • Implement bastion hosts to reduce the number of keys each user needs
  • Monitor failed SSH attempts with fail2ban but configure it to not lock out legitimate users