How to deal with too many authentication failures

Deal with the too many authentication failures error when initiating SSH connection.

This is related to the MaxAuthTries OpenSSH server option which defines the maximum number of authentication attempts permitted per connection.

By default there are 6 authentication attempts permitted. This is a sane value, so I would vote against increasing or decreasing it, and focus solely on the client configuration.

Too many authentication failures error from the client side.

$ ssh 10.10.1.14

Received disconnect from 10.10.1.14 port 22:2: Too many authentication failures
Disconnected from 10.10.1.14 port 22

Too many authentication failures error from the server side.

$ sudo tail -f /var/log/auth.log 

[...]
Sep 29 22:40:44 debian sshd[727]: error: maximum authentication attempts exceeded for milosz from 10.10.10.254 port 37552 ssh2 [preauth]
Sep 29 22:40:44 debian sshd[727]: Disconnecting authenticating user milosz 10.10.10.254 port 37552: Too many authentication failures [preauth]
[...]

Sample debug output that clearly indicates that the client tries too many keys.

$ ssh -v 10.10.1.14                                                                

OpenSSH_8.4p1 Ubuntu-5ubuntu1.1, OpenSSL 1.1.1j  16 Feb 2021
debug1: Reading configuration data /home/milosz/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Connecting to 10.10.1.14 [10.10.1.14] port 22.
debug1: Connection established.
debug1: identity file /home/milosz/.ssh/milosz type 0
debug1: identity file /home/milosz/.ssh/milosz-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.4p1 Ubuntu-5ubuntu1.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.4p1 Debian-5 
debug1: match: OpenSSH_8.4p1 Debian-5 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 10.10.1.14:22 as 'milosz'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256 
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY 
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:FGh6ztmZt2EDte4gOCs7gmso2wSd/wcgOmXpTCtPDlA
debug1: Host '10.10.1.14' is known and matches the ECDSA host key.
debug1: Found key in /home/milosz/.ssh/known_hosts:185
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /home/milosz/.ssh/milosz RSA SHA256:CaC957nx9z3P1vjOuRf8KaVV9enB/aypMYaaCyS5OZE explicit agent
debug1: Will attempt key: milosz@milosz-XPS-13-9343 RSA SHA256:W4DzgWYdMqTCKDBG89iNeeyEoqKlexEO3c/TMnWQDLU agent
debug1: Will attempt key: milosz@milosz-XPS-13-9343 RSA SHA256:pDpy9cQVs2rY3l2TmQyG+xXjqKWUhYUUhdvNLyu5rWo agent
debug1: Will attempt key: milosz@milosz-XPS-13-9343 RSA SHA256:MqT9esnWPypAIAvl/A6AQG7oTx+xbeROJt70vixP+oc agent
debug1: Will attempt key: milosz@milosz-XPS-13-9343 RSA SHA256:dEmW5AUt7AEHPLwwsjW+iogUDAF7p0/5tBXILQfqd98 agent
debug1: Will attempt key: milosz@desktop RSA SHA256:b4vN4p13EvBznlWSduSMS8iJAZqycrYKkGKvXDDCVdY agent
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,
ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /home/milosz/.ssh/milosz RSA SHA256:CaC957nx9z3P1vjOuRf8KaVV9enB/aypMYaaCyS5OZE explicit agent
debug1: Authentications that can continue: publickey,password
debug1: Offering public key: milosz@milosz-XPS-13-9343 RSA SHA256:W4DzgWYdMqTCKDBG89iNeeyEoqKlexEO3c/TMnWQDLU agent
debug1: Authentications that can continue: publickey,password
debug1: Offering public key: milosz@milosz-XPS-13-9343 RSA SHA256:pDpy9cQVs2rY3l2TmQyG+xXjqKWUhYUUhdvNLyu5rWo agent
debug1: Authentications that can continue: publickey,password
debug1: Offering public key: milosz@milosz-XPS-13-9343 RSA SHA256:MqT9esnWPypAIAvl/A6AQG7oTx+xbeROJt70vixP+oc agent
debug1: Authentications that can continue: publickey,password
debug1: Offering public key: milosz@milosz-XPS-13-9343 RSA SHA256:dEmW5AUt7AEHPLwwsjW+iogUDAF7p0/5tBXILQfqd98 agent
debug1: Authentications that can continue: publickey,password
debug1: Offering public key: milosz@desktop RSA SHA256:b4vN4p13EvBznlWSduSMS8iJAZqycrYKkGKvXDDCVdY agent
Received disconnect from 10.10.1.14 port 22:2: Too many authentication failures
Disconnected from 10.10.1.14 port 22

The issue is on the client side, so create a ~/.ssh/config SSH configuration to use specific key.

$ cat ~/.ssh/config

Host 10.10.1.14                                                   
  PreferredAuthentications publickey                                       
  PubkeyAuthentication yes                                           
  IdentitiesOnly yes
  IdentityFile ~/.ssh/devel

$ ssh -v 10.10.1.14      

OpenSSH_8.4p1 Ubuntu-5ubuntu1.1, OpenSSL 1.1.1j  16 Feb 2021        
debug1: Reading configuration data /home/milosz/.ssh/config
debug1: /home/milosz/.ssh/config line 119: Applying options for 10.10.1.14
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Connecting to 10.10.1.14 [10.10.1.14] port 22.
debug1: Connection established.                                                    
debug1: identity file /home/milosz/.ssh/devel type 0
debug1: identity file /home/milosz/.ssh/devel-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.4p1 Ubuntu-5ubuntu1.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.4p1 Debian-5 
debug1: match: OpenSSH_8.4p1 Debian-5 pat OpenSSH* compat 0x04000000   
debug1: Authenticating to 10.10.1.14:22 as 'milosz'
debug1: SSH2_MSG_KEXINIT sent                                                      
debug1: SSH2_MSG_KEXINIT received                                                  
debug1: kex: algorithm: curve25519-sha256      
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY             
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:FGh6ztmZt2EDte4gOCs7gmso2wSd/wcgOmXpTCtPDlA
debug1: Host '10.10.1.14' is known and matches the ECDSA host key.
debug1: Found key in /home/milosz/.ssh/known_hosts:185
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /home/milosz/.ssh/devel RSA SHA256:dAacBlWywkT34TufNIT3stEXSN6GGQL/MieneG2buG8 explicit agent
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,
ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /home/milosz/.ssh/devel RSA SHA256:dAacBlWywkT34TufNIT3stEXSN6GGQL/MieneG2buG8 explicit agent
debug1: Server accepts key: /home/milosz/.ssh/devel RSA SHA256:dAacBlWywkT34TufNIT3stEXSN6GGQL/MieneG2buG8 explicit agent
debug1: Authentication succeeded (publickey).
Authenticated to 10.10.1.14 ([10.10.1.14]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: Remote: /home/milosz/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug1: Remote: /home/milosz/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
debug1: Sending env LC_ADDRESS = pl_PL.UTF-8
debug1: Sending env LC_IDENTIFICATION = pl_PL.UTF-8
debug1: Sending env LC_MEASUREMENT = pl_PL.UTF-8
debug1: Sending env LC_MONETARY = pl_PL.UTF-8
debug1: Sending env LC_NAME = pl_PL.UTF-8 
debug1: Sending env LC_NUMERIC = pl_PL.UTF-8
debug1: Sending env LC_PAPER = pl_PL.UTF-8
debug1: Sending env LC_TELEPHONE = pl_PL.UTF-8
debug1: Sending env LC_TIME = pl_PL.UTF-8 
Linux debian 5.10.0-8-amd64 #1 SMP Debian 5.10.46-5 (2021-09-23) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Sep 29 23:10:13 2021 from 10.10.10.254
milosz@debian:~$