Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-7070: ssh to server failed with 'Too many authentication failures for <user>'

28 June,16 at 12:17 AM

Applies to: 

All versions of Centrify DirectControl on all platforms


Problem:

When attempting to ssh to a server running DirectControl the attempt fails with the following error:

Received disconnect from <IPAddressOfTargetMachine>: 2: Too many authentication failures for <user>
 
If the directory ~<user>/.ssh is removed then ssh is successful, but it fails again once ~<user>/.ssh is recreated after each successful ssh session.
 
Login as the <user> via the 'su' command works successfully on the server.


Cause:
 
The maximum auth tries was set too low in sshd_config file.  Note the example below:
 
MaxAuthTries 4
 
Here’s the sshd DEBUG3 level logs which indicating that when ~<user>/.ssh directory exists, putblickey would be attempted.  If that failed, it exceeded the maximum allowed auth tries
 
$ grep -i -E "userauth_finish|userauth-request|attempt |Failed | Too many auth" sshd_fails.log
debug1: userauth-request for user oracle service ssh-connection method none [preauth]
debug1: attempt 0 failures 0 [preauth]
debug3: userauth_finish: failure partial=0 next methods="publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive" [preauth]
debug1: userauth-request for user oracle service ssh-connection method gssapi-keyex [preauth]
debug1: attempt 1 failures 0 [preauth]
Failed gssapi-with-mic for oracle from 10.5.40.234 port 43581 ssh2
debug3: userauth_finish: failure partial=0 next methods="publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive" [preauth]
debug1: userauth-request for user oracle service ssh-connection method gssapi-with-mic [preauth]
debug1: attempt 2 failures 1 [preauth]
Failed gssapi-with-mic for oracle from 10.5.40.234 port 43581 ssh2
debug3: userauth_finish: failure partial=0 next methods="publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive" [preauth]
debug1: userauth-request for user oracle service ssh-connection method gssapi-with-mic [preauth]
debug1: attempt 3 failures 2 [preauth]
debug3: userauth_finish: failure partial=0 next methods="publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive" [preauth]
debug1: userauth-request for user oracle service ssh-connection method publickey [preauth]
debug1: attempt 4 failures 2 [preauth]
Failed publickey for oracle from 10.5.40.234 port 43581 ssh2: RSA b2:2d:71:4f:14:42:ba:cb:b1:12:2f:28:fe:9f:76:08
debug3: userauth_finish: failure partial=0 next methods="publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive" [preauth]
debug1: userauth-request for user oracle service ssh-connection method keyboard-interactive [preauth]
debug1: attempt 5 failures 3 [preauth]
Disconnecting: Too many authentication failures for oracle [preauth]

Resolution:

Update sshd_config to increase the maximum auth tries to something higher such as the example below:

MaxAuthTries 8

This allows 8 auth tries.  The sshd daemon needs to be restarted for this change to take effect. 

Related Articles

 article[How To] Enable Symantec VIP MFA for Centrify Server Suite on Linux Part III article[How To] Enable Symantec VIP MFA for Centrify Server Suite on Linux Part I articleKB-20210: Common Questions Regarding Centrify DirectControl and CoreOS article[How To] Enable Symantec VIP MFA for Centrify Server Suite on Linux Part II articleKB-6041: How to show current license type in use by adclient articleKB-6040: How to change the license type in use after adclient successful joined to the AD? articleKB-6073: How to join the Linux/Unix Centrify Server to Active Directory with specific Computer Role? articleKB-6044: How to configure users for automatic Kerberos Credentials for infinite renewal even after users have logged out? articleKB-6038: How to specify the license type to use when joining the server to AD using adjoin?