I’ve been using a “config” file located at
~/.ssh/config to list out the identities of the various SSH hosts that I connect to on a regular basis. It was successfully preventing me from having to keep track of the usernames for the various accounts I was connecting to on the servers, but when I got to a certain number of entries in the file, I started getting this error:
Received disconnect from *HOST*: 2: Too many authentication failures for *USERNAME*
I Googled around and tried various solutions, including using
ssh-add and had limited success, but running an
ssh -v hostentry command for a given connection (the
-v puts the command in verbose mode) allowed me to see that my machine was still offering up multiple keys.
This seems counter-intuitive to me. The whole point of using the
config file is to tell it which key to use, right? Why should I even need to add the identity to the SSH agent? And I wasn’t about to increase the number of retries on the servers. That seems like a recipe for disaster. I should only need one try because I have the right key sitting here!
I finally ran the right Google search and discovered this SuperUser (StackOverflow) question, which had the missing component I needed in one of its answers.
The critical element in the config file that forces the SSH client to use only the key specified is this line:
Adding that to each of the entries in the config file (immediately below the “IdentifyFile” declaration) did the trick.
So now a typical entry in my
config file looks something like this:
Â HostName somedomain.com
Â user someuser
Â IdentityFile ~/.ssh/somekey_rsa
Â IdentitiesOnly yes
I hope this helps someone!Related Posts: