Read more

How to fix "Too many authentic authentication failures" with SSH and/or Capistrano

Henning Koch
August 25, 2010Software engineer at makandra GmbH

You are getting when connecting via SSH or deploying with Capistrano (which uses SSH):

Too many authentication failures for username
Illustration web development

Do you need DevOps-experts?

Your development team has a full backlog? No time for infrastructure architecture? Our DevOps team is ready to support you!

  • We build reliable cloud solutions with Infrastructure as code
  • We are experts in security, Linux and databases
  • We support your dev team to perform
Read more Show archive.org snapshot

This is caused by having too many SSH keys added to your keyring or ssh-agent. Your ssh-agent will throw all keys against a server until one matches. Most servers will deny access after 5 attempts.

This issue might come and go as the order of the active SSH keys in your ssh-agent changes.

Quick fix

Have less keys. Up to 5 keys are fine when the SSHD you're connecting to is using the default config.

Every fix that involves you keeping many keys will cause you pain.

Painful fix for SSH and Capistrano: Add keys manually

  • You will need to disable your gnome keyring daemon to regain control over your added keys.
  • Disable the gnome keyring daemon in your Settings -> Startup programs. You might need to uncheck the box and reopen the dialog twice for the change to stick.
  • Restart X.
  • Clear your list of active keys with "ssh-add -D". "ssh-add -l" should now be empty.
  • Now every morning you selectively add the keys you're going to use with ssh-add ~/.ssh/keyname.key.

Painful fix for SSH only: Have a very strict SSH config

You can tell your SSH client which keys to use for which host. Change your ~/.ssh/config file like this:

Host *
    IdentitiesOnly yes

Host github.com github 
    User your-user
    Hostname github.com
    RSAAuthentication yes
    Compression yes
    IdentityFile ~/.ssh/your-user.key

You will now be able to connect to github.com and any other host you list in the file, but you can now no longer connect to an unlisted host.

Also you will still be out of luck with Capistrano.

Painful fix for Capistrano only: Monkey patch your deploy.rb

Net::SSH isn't very smart about using your ssh-agent. Basically whenever it sees a running ssh-agent it tries to connect with all added keys. Also it ignores your SSH-config and any settings like ssh_settings[:keys] = ['~/.ssh/foo.key'] when an ssh-agent is running.

Here is a horrible fix: Monkey patch your deploy.rb so the agent is not used:

class Net::SSH::Authentication::KeyManager
  def use_agent?
    false
  end
end

This will probably break the deploy script for every other person working on the same project and cause you all sorts of bad karma.

Posted by Henning Koch to makandra dev (2010-08-25 13:48)