- Published on
Too Many Authentication Failures for Root
- Authors
- Name
- Kevin van Zonneveld
- @kvz
I recently had an annoying encounter with the error message:
Too many authentication failures for root.
I found out this can be caused because you've hoarded too many SSH keys :)
So serves me right, but let's see what happens exactly.
Consider this paste:
$ ssh -vvv root@67.23.163.74 2>&1 |egrep '(public|fail)'
debug3: Could not load "/Users/kevin/.ssh/id_rsa" as a RSA1 public key
debug3: Could not load "/Users/kevin/.ssh/id_dsa" as a RSA1 public key
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering DSA public key: /Users/kevin/.ssh/id_dsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Offering RSA public key: /Users/kevin/.ssh/kevin_201011_true
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Offering RSA public key: /Users/kevin/.ssh/transkey.pem
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Offering RSA public key: /Users/kevin/.ssh/kevin_201211_true
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Offering RSA public key: /Users/kevin/.ssh/kevin_201205_true
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Offering RSA public key: /Users/kevin/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
Received disconnect from 67.23.163.74: 2: Too many authentication failures for root
It tries 6 different SSH keys it found laying around on my system before asking for a password. I knew SSH automagically looks for the best way to authenticate you. No problem there.
But the serverside counts each try as a failure! Apparently SSHD was configured to only allow so many (6) failures for a user (root), hence SSH never even bothered asked for the password that should be working for this box.
This server was freshly delivered by a colo provider, so I really could not get in any other way. To fix, I could have cleaned up my keys, but instead I disabled login by Public key authentication:
$ ssh -o PubkeyAuthentication=no root@67.23.163.74
And this fixed the issue.
Afterwards I could set up proper public keys and disable password login altogether.
Tricky though, so I thought I'd share :)
Legacy Comments (7)
These comments were imported from the previous blog system (Disqus).
Or put your ssh rules into a config file ~/.ssh/config
Host mydomain.net
user root
Identityfile ~/.ssh/mykey1
Host 67.23.163.74
PubkeyAuthentication no
user root
Yes that's nice, although in this case I wanted to enable public key authentication right after I was able to log into the box, so this would be a one time thing.
fore sure, it's more usefull in a lan context
Thanks for that,
I thought it was something else at first but then when I got the error on a completely different server I became suspicious it was something I had done.
This was annoyingly the problem I was having. Thanks,
Thank you! This helped me.
Thank you, I was unable to login to my new server and this helped.