I am running CentOS 7.3 + X Windows system + Mate-desktop on all of my systems except for a couple of old 32 bit boxes which have Ubuntu 16.04 Mate. On my main workstation I created ssh keys to various other machines using Seahorse. The first 5 were created with no problem. On the 6th attempt I received an error such as the example in the subject when I attempted to setup the key on the remote machine.

I determined that if I uncommented the #MaxAuthTries line in /etc/ssh/sshd_conf file on the remote machine, bumped up the number to 6 and restarted sshd, I could create the key. On the next machine I had to bump it to 7 etc. I reported this as a bug in Seahorse - still waiting for a response from the project.

I also noticed that if I attempt to connect with ssh to the 6th machine - the one with "MaxAuthTries 6" - after creating the 7th key I again get the "too many" error. It seems that the ssh command in a terminal is trying all of the available keys to access the remote computer instead of the correct key for that server.

I have set MaxAuthTries to 10 on all of my machines which eliminates the symptom. However, I do not think it resolves the underlying issue.

Is there something I need to configure on the workstation which is initiating the connections?

TIA,

Ken

It's a problem with how the agents work currently. There is no way they have to work out which key should be offered to which server, so they just start trying keys. What might work is to add entries in ~/.ssh/config for each remote host and set IdentitiesOnly to "yes" and point IdentityFile to the right private key.

1 members found this post helpful.

Thanks Turbocapitalist,

That confirms my observations. I may try adding the entries as you describe.

Ken

Turbocapitalist, I just posted a moderator-note ... praising this reply ... to the effect that "bits of wisdom like the foregoing ought to be put into a sticky topic at the top of this forum."

I suggested a thread title: "Security Tips, Tricks, and Folk Wisdom."

Everyone who has "more than so-many SSH servers and therefore keys to deal with" has bumped into this issue. But, I find very little discussion of it.

LQ needs a sticky thread ... "If you want to minimize security-related ... and of course you do ... read this thread!"

It's useful but far from perfect because as far as I know you have to keep entering the key information.

Currently to still keep the key in the agent, you have to fiddle the MaxAuthTries on the SSH server similar to how taylorkh has started. However, the increased MaxAuthTries can be restricted using a Match block to a single group of users, an individual user, a network,

or some of each.

It will still clutter the authentication logs with all the failures though.

I just had a chance to check with older (6.6p) and newer (7.4) OpenSSH clients. With the latter, it is seems enough to specify IdentityFile only. Sometime between the two, the client got a lot more adaptable.

I get a very similar message in Filezilla, so I have to either modify the target, or
from a bash terminal. Works for the zilla....

Just sayin'.