Too Many Authentication Failures for Root

1 minute read

I recently had an annoying encounter with the error message: Too many authentication failures for root. I found out this can be caused because you've hoarded too many SSH keys :)

So serves me right, but let's see what happens exactly.

Consider this paste:

$ ssh -vvv root@67.23.163.74 2>&1 |egrep '(public|fail)'
debug3: Could not load "/Users/kevin/.ssh/id_rsa" as a RSA1 public key
debug3: Could not load "/Users/kevin/.ssh/id_dsa" as a RSA1 public key
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering DSA public key: /Users/kevin/.ssh/id_dsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Offering RSA public key: /Users/kevin/.ssh/kevin_201011_true
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Offering RSA public key: /Users/kevin/.ssh/transkey.pem
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Offering RSA public key: /Users/kevin/.ssh/kevin_201211_true
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Offering RSA public key: /Users/kevin/.ssh/kevin_201205_true
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Offering RSA public key: /Users/kevin/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
Received disconnect from 67.23.163.74: 2: Too many authentication failures for root

It tries 6 different SSH keys it found laying around on my system before asking for a password. I knew SSH automagiclly looks for the best way to authenticate you. No problem there.

But the serverside counts each try as a failure! Apparently SSHD was configured to only allow so many (6) failures for a user (root), hence SSH never even bothered asked for the password that should be working for this box.

This server was freshly delivered by a colo provider, so I really could not get in any other way. To fix, I could have cleaned up my keys, but instead I disabled login by Public key authentication:

$ ssh -o PubkeyAuthentication=no root@67.23.163.74

And this fixed the issue.

Afterwards I could set up proper public keys and disable password login altogether.

Tricky though, so I thought I'd share :)

Leave a Comment Right Here