Many SSH keys and Authentication failures
I'm a Team Lead and Solutions Architect during the day, lazy "Dev Sec Ops" at night with a passion for selfhosting and data privacy. Free and Open Source advocate since 2005, I sporadically write Blog or Gemlog posts and share short notes and bookmarks on my website.
This will be a short post, but I must write about it so I don’t waste time again next time I have the problem…
While I was reinstalling from scratch my uConsole with Debian Trixie (as the upgrade from Bookworm does not work) and writing my next post about my full uConsole setup, I stumbled upon a weird error when trying to connect to it via SSH.
After the fresh install, I ensure that SSH was enabled at start and currently running, I review the configuration where I disable root access but permit user password. That’s what I usually start with so I can then copy my key via ssh and then change again the sshd configuration to only allow connection via keys. Nothing I haven’t done countless of times before!
So after updating the sshd config to check that password authentication was set to yes and the port was the correct one, I opened a terminal on my desktop and fired the ssh command as usual (ssh <ipOfUConsole>) to then see this error message:
Received disconnect from <IpOfUConsole> port 22:2: Too many authentication failures
Hm? I haven’t even tried entering any password yet, so how could I have hit the maximum of failures already?
Last year, after losing everything, I redid my ssh config in a cleaner way, having more unique ssh keys, dedicated config files included in the main ~/.ssh/config file. You can read more here about my ssh setup.
Well, one thing I didn’t know was that when connecting to a new ssh server that was not part of any of my ssh config files was that all my identity would be tested before eventually asking me for a password. And apparently I have reached a number that is considering too many because it fails before actually asking for it…
The fix is quite simple and obvious once you understand the problem. Simply adding at the top of my ~/.ssh/config file before all the includes the following snippet:
Host *
IdentitiesOnly=yes
This will force the ssh client to only use identity explicitly indicated in the command line or specifically configured for this host in my configuration. So when ssh-ing into a new box, it will not try any existing key except if I indicate to do so in the command line.
One way of testing it before changing your config is to force IdentitiesOnly in the command line for a test:
ssh -o IdentitiesOnly=yes <login>@<IP>
If that works, it means it is indeed the problem.
But in any cases, I do think it is better to always force it when having so many ssh keys anyway.
So now it is part of my configuration which looks like this:
Host *
IdentitiesOnly=yes
Include config.d/<fileA>
Include config.d/<fileB>
…
I also edited that old blog post about my ssh config just in case.