This error occurs when SSH clients exceed the server's maximum authentication attempts limit (default: 6). It's a security mechanism to prevent brute-force attacks. Resolve it by specifying the correct key, reducing failed attempts, or increasing MaxAuthTries on the server.
The SSH daemon (sshd) enforces a limit on how many authentication attempts a single connection can make. When a client tries multiple authentication methods or keys and all fail, the server disconnects after reaching the configured limit (MaxAuthTries). Each failed login attempt increments the counter—whether using wrong passwords, incorrect SSH keys, or unsupported authentication methods. Once the limit is reached, the server immediately closes the connection to protect against brute-force attacks. This is a server-side rejection that prevents further attempts from that connection. The client must reconnect to try again.
First, verify you're using the right SSH key. List all keys in your ssh-agent:
ssh-add -lIf you have many keys, identify which one is authorized on the target server. You may need to check the server's ~/.ssh/authorized_keys file or contact your administrator.
Instead of letting ssh-agent try all keys, specify the exact key to use:
ssh -i /path/to/correct/private/key username@hostnameThis bypasses ssh-agent and avoids wasting authentication attempts on wrong keys.
Edit or create ~/.ssh/config and add:
Host *
IdentitiesOnly yes
IdentityFile ~/.ssh/id_ed25519
IdentityFile ~/.ssh/id_rsaThis tells SSH to only try the listed keys instead of offering every key in ssh-agent. Order them so the correct key is attempted first.
For a specific host:
Host example.com
IdentitiesOnly yes
IdentityFile ~/.ssh/server_specific_keyIf you have many keys, remove the ones you don't need:
# Remove a specific key
ssh-add -d /path/to/key
# Remove all keys
ssh-add -DThen add back only the keys you actively use:
ssh-add ~/.ssh/id_rsa
ssh-add ~/.ssh/id_ed25519Run SSH with verbose output to see which keys are attempted and in what order:
ssh -vvv username@hostnameLook for lines like:
debug1: Trying private key: /home/user/.ssh/id_rsa
debug1: Trying private key: /home/user/.ssh/id_ed25519This shows you the order keys are tried and which ones are rejected.
If you administer the SSH server and legitimate users have multiple keys, you can increase the limit. Edit /etc/ssh/sshd_config:
# Change from default (usually 6) to a higher value
MaxAuthTries 10Then restart SSH:
sudo systemctl restart sshd
# or
sudo service sshd restartWarning: Keep this reasonable (4-6 recommended by security standards). Setting it too high increases brute-force attack risk.
SSH Key Negotiation Ordering: SSH clients typically try keys in this order: keys explicitly specified with -i, keys from ssh_config IdentityFile directives, then keys from ssh-agent. Each attempt counts toward MaxAuthTries, even if a key doesn't exist on the server.
MaxAuthTries vs Fail2Ban: While MaxAuthTries protects a single connection, Fail2Ban (a common intrusion prevention system) blocks IPs making repeated failed login attempts across multiple connections. Both work together: MaxAuthTries stops brute-force attempts on one connection, while Fail2Ban stops repeated attacks from the same IP.
PAM Delay on Linux: On Linux systems with PAM (Pluggable Authentication Modules), failed authentication attempts are intentionally delayed. This makes brute-force attacks ineffective even if MaxAuthTries is bypassed—each attempt takes seconds instead of being instantaneous.
Security Recommendations: CIS Benchmarks recommend setting MaxAuthTries to 4 or less. However, if users have legitimate multiple keys (e.g., different keys for different servers), reducing it too low will cause problems. Balance security with usability.
Load key "/home/user/.ssh/id_rsa": invalid format
How to fix 'Load key invalid format' in SSH
Bad owner or permissions on /home/user/.ssh/config
How to fix "Bad owner or permissions on .ssh/config" in SSH
Error connecting to agent: Connection refused
How to fix "Error connecting to agent: Connection refused" in SSH
Connection closed by UNKNOWN port 65535
How to fix 'Connection closed by UNKNOWN port 65535' in SSH
Offending ECDSA key in /home/user/.ssh/known_hosts:line
How to fix "Offending ECDSA key in known_hosts" in SSH