"Received disconnect from IP_address: 2: too many failed userauth_requests"

After reducing MaxAuthRetries to 3 from the default of 6 on Solaris 9's ssh server, I received this error when trying to connect with an OpenSSH client.

Client:
ssh -V
OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090701f

Server:
Sun_SSH_1.0.1

By default, the OpenSSH client attempts authentication in the following order:
"hostbased,publickey,keyboard-interactive,password''

By running the ssh server in debug mode (/usr/lib/ssh/sshd -d), I was able to see the problem. In my case, "hostbased" authentication failed, as did "publickey" authentication. OpenSSH presented both my ssh protocol 2 RSA and DSA identities to the ssh server, resulting in two "publickey" authentication failures. I already had 3 failures by the time I was presented with the password prompt, so entering the correct password resulted in an error.

ssh hutch@server
Authorized uses only. All activity may be monitored and reported.
hutch@server's password:
Received disconnect from 192.168.1.1: 2: too many failed userauth_requests

There are several workarounds:

1. Use public-key authentication by adding the appropriate public key to the authorized_keys file on the remote host. If you have more than one identity (e.g. ssh protocol 2 DSA and RSA keys), you may want to specify the appropriate identity with ssh -i identity_file. Recommended.

2. If you have to use password authentication, run the ssh client with ssh -o PreferredAuthentications=password to prevent hostbased, publickey, and keyboard-interactive authentication attempts.

3. Change MaxAuthRetries on the ssh server to a larger value.

Back to brandonhutchinson.com.
Last modified: 09/16/2004