I was working with a new Linux distro and after creating a brand-new VM with a single login I attempted to ssh into the VM only to be greeted with:
Received disconnect from 10.0.0.180 port 22:2: Too many authentication failures Disconnected from 10.0.0.180 port 22
It was a new VM, and I hadn’t loaded an ssh key (there was no option to do so in the install). I’d set up a user and password, so I expected to get a password prompt. I didn’t get to a password prompt, just an immediate disconnect.
I used ssh -vvv
to connect and found that my ssh client was attempting to use my ssh keys, as ssh is supposed to, and on the third key the VM spat back the error:
Received disconnect from 10.0.0.180 port 22:2: Too many authentication failures Disconnected from 10.0.0.180 port 22
Well, I wanted to connect with a password anyhow, so I tried:
ssh -o PubkeyAuthentication=no username@10.0.0.180
I was greeted with a password:
prompt.
I checked the /etc/ssh/sshd_config
and found that someone who’d built the install image had changed the default setting for MaxAuthTries
from 6
to 2
.
The MaxAuthTries
setting tells the ssh daemon how many different authentication attempts a user can try before it disconnects. Each ssh key loaded into ssh-agent counts as one authentication attempt. The default is 6 because many users (like me) have multiple ssh keys loaded into ssh-agent so that we can automatically log into different hosts that use different ssh keys. Trying more than one ssh key isn’t the same as thumb-fingering a password — ssh is designed to allow for multiple key attempts. After the ssh connection attempts all of your ssh keys and you haven’t run out of attempts and passwords are enabled you’ll eventually get a password prompt.
Setting MaxAuthTries
back to the more reasonable default of 6
and reloading the sshd daemon fixed the issue. Apparently whoever tested the setup only has one ssh key and wasn’t aware of what changing the MaxAuthTries
setting does when people with more than one key attempt to log in.
Alternatively, if it’s someone else’s server and you can’t change the /etc/ssh/sshd_config
file, you can also add these lines to your local ~/.ssh/config
file:
Host 10.0.0.180 PubkeyAuthentication no
If you’re concerned about ssh security sshd_config
allows you to control what versions of the ssh protocol are supported, which ciphers you trust (or don’t trust), and to tune other settings that lock down what you will or won’t allow ssh to do in your environment. It may be that for some applications in some environments setting MaxAuthTries 2
makes sense, but using it for an out of the box installation just breaks ssh for no good reason.
Hope you find this useful.