problem hub
Sensitive outputSSH too many authentication failures
Check auth logs, loaded agent keys, explicit identity selection, and verbose client output before changing sshd or deleting keys.
Safest first command
grep -i 'Too many authentication failures' /var/log/auth.log /var/log/secure 2>/dev/null | tail -20
Before you run this
Expected output: Recent SSH auth log lines showing the user, source, and too-many-authentication-failures message.
When not to use it: Do not share auth logs, key fingerprints, usernames, IPs, or hostnames without redaction.
Expected output example
Jul 04 12:15:20 host sshd[1944]: error: maximum authentication attempts exceeded for deploy from 203.0.113.8 port 51222 ssh2 [preauth]
How to read the result
The server may close the connection because the client offered too many wrong keys before the right one. Agent inventory and an explicit identity test are next.
What to check next
Auth log says maximum attempts exceeded
Means: Client likely offered too many keys.
Next step: List agent keys on the client.
Agent has many keys
Means: Force the intended identity for a narrow test.
Next step: Use IdentitiesOnly with one key.
Explicit key still fails
Means: The key, user, or server authorized_keys path may be wrong.
Next step: Run verbose auth test and then inspect authorized_keys permissions.
SSH identity decision tree
Separate server policy from client identity selection. Many failures come from the client offering too many unrelated keys.
grep -i 'Too many authentication failures' /var/log/auth.log /var/log/secure 2>/dev/null | tail -20ssh-add -lssh -o IdentitiesOnly=yes -i ~/.ssh/id_ed25519 user@example.comssh -vvv -o IdentitiesOnly=yes -i ~/.ssh/id_ed25519 user@example.com
Bad fixes to avoid
Do not delete known_hosts, lower server security, or overwrite authorized_keys until you prove which identity was offered and which account is targeted.
Common causes
- SSH agent offers many keys.
- Wrong IdentityFile selected.
- Server MaxAuthTries reached before correct key.
- The intended public key is absent or permissions block it.
What not to change yet
- Do not disable public-key auth.
- Do not delete known_hosts for this error.
- Do not paste verbose SSH output without redaction.
Stop and escalate if
- The next step could interrupt users, remove data, or lock out access.
- The output includes secrets, customer data, or private infrastructure details.
- You cannot explain the blast radius of the repair command.
supporting commands
Command path
Guides and drills
- SSH publickey denied hub Use when the explicit key is rejected.
- SSH known_hosts changed hub Use for host-key warnings, not auth attempt limits.