Back to problems

problem hub

Sensitive output

SSH too many authentication failures

Check auth logs, loaded agent keys, explicit identity selection, and verbose client output before changing sshd or deleting keys.

Safest first command

grep -i 'Too many authentication failures' /var/log/auth.log /var/log/secure 2>/dev/null | tail -20

Before you run this

Expected output: Recent SSH auth log lines showing the user, source, and too-many-authentication-failures message.

When not to use it: Do not share auth logs, key fingerprints, usernames, IPs, or hostnames without redaction.

Expected output example

Jul 04 12:15:20 host sshd[1944]: error: maximum authentication attempts exceeded for deploy from 203.0.113.8 port 51222 ssh2 [preauth]

How to read the result

The server may close the connection because the client offered too many wrong keys before the right one. Agent inventory and an explicit identity test are next.

What to check next

Auth log says maximum attempts exceeded

Means: Client likely offered too many keys.

Next step: List agent keys on the client.

List SSH Agent Keys

Agent has many keys

Means: Force the intended identity for a narrow test.

Next step: Use IdentitiesOnly with one key.

Test SSH with One Identity File

Explicit key still fails

Means: The key, user, or server authorized_keys path may be wrong.

Next step: Run verbose auth test and then inspect authorized_keys permissions.

Run SSH Verbose Auth Test

SSH identity decision tree

Separate server policy from client identity selection. Many failures come from the client offering too many unrelated keys.

  1. grep -i 'Too many authentication failures' /var/log/auth.log /var/log/secure 2>/dev/null | tail -20
  2. ssh-add -l
  3. ssh -o IdentitiesOnly=yes -i ~/.ssh/id_ed25519 user@example.com
  4. ssh -vvv -o IdentitiesOnly=yes -i ~/.ssh/id_ed25519 user@example.com

Bad fixes to avoid

Do not delete known_hosts, lower server security, or overwrite authorized_keys until you prove which identity was offered and which account is targeted.

Common causes

  • SSH agent offers many keys.
  • Wrong IdentityFile selected.
  • Server MaxAuthTries reached before correct key.
  • The intended public key is absent or permissions block it.

What not to change yet

  • Do not disable public-key auth.
  • Do not delete known_hosts for this error.
  • Do not paste verbose SSH output without redaction.

Stop and escalate if

  • The next step could interrupt users, remove data, or lock out access.
  • The output includes secrets, customer data, or private infrastructure details.
  • You cannot explain the blast radius of the repair command.

supporting commands

Command path

Guides and drills