ssh-agent and “Received disconnect from 1.2.3.4 port 22:2: Too many authentication failures” error

Posted on by vanja

I keep my ssh keys locked with passwords in a KeePassXC, that are in turn locked with a YubiKey with fingerprint as a 2FA – pretty decent, I’d say 🙂
Once KeePassXC is unlocked, it automatically feeds all the keys to the ssh-agent. That means that when you try to use ssh-agent (and you most probably want to) to connect to a remote machine, the ssh-agent will try to use all of the keys it has, one by one, till it matches the appropriate one. The servers, from the other side, are usually limited to allow for three, sometimes six attempts, and that’s it – if your key is loaded in the ssh-agent as 10th, for instance, you’ll receive something like: 

Received disconnect from 1.2.3.4 port 22:2: Too many authentication failures

one way to fix it is to fix on the server side, raise the limit – but that’s unrealistic: you’d have to do it for each and every server you have to connect to. Also, you cannot fix it as an “IdentityFile ~/.ssh/some_key” because it lives only in ssh-agent, and only while the KeePassXC is unlocked.

Hopefully, you’ll have different keys: some will be RSA, some others ECDSA, others yet ED25519…

What you can do, until the number of the same keys is again something a remote server won’t allow, is to at least pinpoint which type of a key should be served for which host – currently, this works for me:

Host 1.2.3.4
   …
   PreferredAuthentications publickey
   PubkeyAuthentication yes
   PubkeyAcceptedAlgorithms ssh-ed25519
   …

A nice workaround would be to be able to explicitly state a Fingerprint of the key, with something like 

Host 1.2.3.4
   ...
   PubkeySHA SoMEShA256HerE...
   ...


in the ~/.ssh/conf, but I couldn’t find something like that.

Leave a Comment

Your email address will not be published. Required fields are marked *