ssh to server failed with 'Too many authentication failures for <user>'
Applies to:
All versions of Centrify DirectControl on all platforms
Problem:
When attempting to ssh to a server running DirectControl the attempt fails with the following error:
Received disconnect from <IPAddressOfTargetMachine>: 2: Too many authentication failures for <user> If the directory ~<user>/.ssh is removed then ssh is successful, but it fails again once ~<user>/.ssh is recreated after each successful ssh session.
Login as the <user> via the 'su' command works successfully on the server.
Cause:
The maximum auth tries was set too low in sshd_config file. Note the example below:
MaxAuthTries 4 Here’s the sshd DEBUG3 level logs which indicating that when ~<user>/.ssh directory exists, putblickey would be attempted. If that failed, it exceeded the maximum allowed auth tries
$ grep -i -E "userauth_finish|userauth-request|attempt |Failed | Too many auth" sshd_fails.log debug1: userauth-request for user oracle service ssh-connection method none [preauth] debug1: attempt 0 failures 0 [preauth] debug3: userauth_finish: failure partial=0 next methods="publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive" [preauth] debug1: userauth-request for user oracle service ssh-connection method gssapi-keyex [preauth] debug1: attempt 1 failures 0 [preauth] Failed gssapi-with-mic for oracle from 10.5.40.234 port 43581 ssh2 debug3: userauth_finish: failure partial=0 next methods="publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive" [preauth] debug1: userauth-request for user oracle service ssh-connection method gssapi-with-mic [preauth] debug1: attempt 2 failures 1 [preauth] Failed gssapi-with-mic for oracle from 10.5.40.234 port 43581 ssh2 debug3: userauth_finish: failure partial=0 next methods="publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive" [preauth] debug1: userauth-request for user oracle service ssh-connection method gssapi-with-mic [preauth] debug1: attempt 3 failures 2 [preauth] debug3: userauth_finish: failure partial=0 next methods="publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive" [preauth] debug1: userauth-request for user oracle service ssh-connection method publickey [preauth] debug1: attempt 4 failures 2 [preauth] Failed publickey for oracle from 10.5.40.234 port 43581 ssh2: RSA b2:2d:71:4f:14:42:ba:cb:b1:12:2f:28:fe:9f:76:08 debug3: userauth_finish: failure partial=0 next methods="publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive" [preauth] debug1: userauth-request for user oracle service ssh-connection method keyboard-interactive [preauth] debug1: attempt 5 failures 3 [preauth] Disconnecting: Too many authentication failures for oracle [preauth]
Resolution:
Update sshd_config to increase the maximum auth tries to something higher such as the example below:
MaxAuthTries 8
This allows 8 auth tries. The sshd daemon needs to be restarted for this change to take effect.