This error occurs when the SSH client tries too many authentication methods before the server's maximum attempt limit is reached. The server disconnects to prevent brute force attacks. Usually caused by offering too many SSH keys or having multiple identity files configured.
SSH servers have a security limit (MaxAuthTries) that restricts how many authentication attempts are allowed per connection before disconnecting. The default is typically 6 attempts. When you have many SSH keys loaded in your SSH agent or multiple IdentityFile entries configured, the SSH client tries each one sequentially. If it exhausts all keys before reaching the correct one, or if there are too many incorrect attempts, the server forcefully disconnects with this error to prevent brute force attacks.
Use the -i flag to tell SSH exactly which key to use, bypassing the agent:
ssh -i ~/.ssh/your_specific_key user@hostnameThis prevents SSH from trying multiple keys and exhausting the authentication limit. If this works, the issue is key selection, not the connection itself.
Configure SSH to use only the explicitly specified identity files, not all keys in the agent:
Host your-server.com
HostName your-server.com
User username
IdentityFile ~/.ssh/specific_key
IdentitiesOnly yesThe IdentitiesOnly yes directive tells SSH to ignore other keys in ssh-agent and use only the configured IdentityFile. This is the cleanest long-term solution.
Remove all loaded keys from your SSH agent and add back only the one you need:
# Clear all keys from agent
ssh-add -D
# Add only the specific key you need
ssh-add ~/.ssh/your_specific_keyThen try SSH again:
ssh user@hostnameThis temporarily solves the issue but resets when you restart your system or open a new terminal. Use the ~/.ssh/config approach (step 2) for a permanent fix.
Force SSH to bypass the agent entirely for one connection:
SSH_AUTH_SOCK= ssh -i ~/.ssh/your_key user@hostnameThis unsets the SSH_AUTH_SOCK environment variable, preventing SSH from accessing the agent. Useful for troubleshooting when you want to test without agent interference.
If you want to bypass key authentication temporarily and use password instead:
ssh -o PreferredAuthentications=password user@hostnameThis is helpful for testing whether the issue is with key authentication or something else. After confirming password auth works, you can focus on fixing the key setup.
See what's currently in your SSH agent:
ssh-add -lRemove keys you no longer use:
ssh-add -d ~/.ssh/old_keyOr delete the key files entirely if you're certain they're no longer needed:
rm ~/.ssh/old_key ~/.ssh/old_key.pubFewer loaded keys means fewer authentication attempts, reducing the chance of hitting the limit.
If you control the SSH server, you can increase the authentication attempt limit in /etc/ssh/sshd_config:
# Edit the SSH daemon config
sudo nano /etc/ssh/sshd_configFind or add the line:
MaxAuthTries 10Then restart SSH:
sudo systemctl restart ssh
# or on some systems:
sudo service sshd restartWarning: Setting MaxAuthTries too high reduces security against brute force attacks. Only increase it if you have a legitimate reason (e.g., systems with many keys in production).
Ensure your private keys have proper permissions (600). Keys with wrong permissions can cause authentication failures:
chmod 600 ~/.ssh/your_keyList and verify:
ls -l ~/.ssh/your_keyShould show: -rw------- 1 user group (permissions 600)
Incorrect permissions are a common cause of SSH auth failures.
Advanced troubleshooting:
SSH Agent Forwarding Issues: When using ssh-agent forwarding (-A flag), keys from your local agent are offered to remote hosts. If the remote host also has its own agent running, you might see cascading authentication failures. Use ssh-add -l locally to verify what's being forwarded.
Container and VM Environments: Docker containers, Kubernetes pods, and VMs often have fresh SSH agents without your keys. Use explicit key paths (-i flag) or mount SSH config directories rather than relying on agent forwarding.
Git over SSH Complications: If you're using git over SSH in CI/CD, the git client bypasses your SSH config. Use explicit key configuration in your git config or pass the key via SSH_KEY_PATH environment variables.
Security Group Timeouts: On AWS and cloud platforms, security group rules might be blocking SSH traffic or allowing it only from certain IPs. If the connection is hanging before showing the "too many auth failures" error, check security group and firewall rules.
Debugging with Verbose Logging: Use ssh -vvv user@host to see detailed authentication negotiation. Look for the exact methods being attempted and where it fails. This helps distinguish between "too many keys" vs "wrong key" problems.
ECDSA vs RSA Key Issues: If you have mixed key types (RSA, ECDSA, ED25519), the server's key algorithm preferences might skip your key. Explicitly specify key type with -o HostKeyAlgorithms=ssh-ed25519 if needed.
Load key "/home/user/.ssh/id_rsa": invalid format
How to fix 'Load key invalid format' in SSH
Bad owner or permissions on /home/user/.ssh/config
How to fix "Bad owner or permissions on .ssh/config" in SSH
Error connecting to agent: Connection refused
How to fix "Error connecting to agent: Connection refused" in SSH
Connection closed by UNKNOWN port 65535
How to fix 'Connection closed by UNKNOWN port 65535' in SSH
Offending ECDSA key in /home/user/.ssh/known_hosts:line
How to fix "Offending ECDSA key in known_hosts" in SSH