I’ve been using a “config” file located at ~/.ssh/config
to list out the identities of the various SSH hosts that I connect to on a regular basis. It was successfully preventing me from having to keep track of the usernames for the various accounts I was connecting to on the servers, but when I got to a certain number of entries in the file, I started getting this error:
Received disconnect from *HOST*: 2: Too many authentication failures for *USERNAME*
I Googled around and tried various solutions, including using ssh-add
and had limited success, but running an ssh -v hostentry
command for a given connection (the -v
puts the command in verbose mode) allowed me to see that my machine was still offering up multiple keys.
This seems counter-intuitive to me. The whole point of using the config
file is to tell it which key to use, right? Why should I even need to add the identity to the SSH agent? And I wasn’t about to increase the number of retries on the servers. That seems like a recipe for disaster. I should only need one try because I have the right key sitting here!
I finally ran the right Google search and discovered this SuperUser (StackOverflow) question, which had the missing component I needed in one of its answers.
The critical element in the config file that forces the SSH client to use only the key specified is this line:
IdentitiesOnly yes
Adding that to each of the entries in the config file (immediately below the “IdentifyFile” declaration) did the trick.
So now a typical entry in my config
file looks something like this:
Host myshortcut
 HostName somedomain.com
 user someuser
 IdentityFile ~/.ssh/somekey_rsa
 IdentitiesOnly yes
I hope this helps someone!