How to fix SSH too many authentication failures

The Too many authentication failures error appears when an SSH server disconnects a login before the correct key is tried. It is common on laptops, workstations, and jump hosts with several identities loaded in ssh-agent, because each rejected public key counts against the server's authentication-attempt limit.

The OpenSSH client can combine default key files, keys offered by ssh-agent, security-key providers, and any IdentityFile settings from client config. IdentitiesOnly yes narrows authentication to the configured identity files, so the intended key is tried without first exhausting the server's MaxAuthTries limit on unrelated agent keys.

A one-command retry is the fastest access check when the right key is already known, and the same identity settings can be saved in ~/.ssh/config for the affected host. Host-key warnings and private-key permission errors are separate failures; those messages need their own fix before identity selection can prove the login.

Steps to fix SSH too many authentication failures:

List the identities loaded in the reachable ssh-agent.

$ ssh-add -l
256 SHA256:CcksML5GFcu1nqoc1zveLWYJkINegNaZLw8kWiBE5U4 admin-lab-1 (ED25519)
256 SHA256:KdFUIKv42/bu77CcTvcvmlQLj2+uu0lbG3hKoXWmI+c admin-lab-2 (ED25519)
256 SHA256:uD98+V4fe6v7NLDmikPpLeFt5gn+EkUA62bse6BdIxk admin-lab-3 (ED25519)
256 SHA256:IDgZ9MLYUe7lQGbGSdVbeDcrxzoJUvLr5hyPp+CkIdA host-login (ED25519)

If the command prints The agent has no identities., check broad IdentityFile entries or default key files instead of clearing the agent.

Reproduce the failure with verbose client output.

$ ssh -v -o BatchMode=yes user@host.example.net whoami
debug1: get_agent_identities: agent returned 4 keys
debug1: Will attempt key: admin-lab-1 ED25519 SHA256:CcksML5GFcu1nqoc1zveLWYJkINegNaZLw8kWiBE5U4 agent
debug1: Will attempt key: admin-lab-2 ED25519 SHA256:KdFUIKv42/bu77CcTvcvmlQLj2+uu0lbG3hKoXWmI+c agent
debug1: Will attempt key: admin-lab-3 ED25519 SHA256:uD98+V4fe6v7NLDmikPpLeFt5gn+EkUA62bse6BdIxk agent
debug1: Will attempt key: host-login ED25519 SHA256:IDgZ9MLYUe7lQGbGSdVbeDcrxzoJUvLr5hyPp+CkIdA agent
##### snipped #####
debug1: Offering public key: admin-lab-3 ED25519 SHA256:uD98+V4fe6v7NLDmikPpLeFt5gn+EkUA62bse6BdIxk agent
Received disconnect from host.example.net port 22:2: Too many authentication failures
Disconnected from host.example.net port 22

BatchMode avoids password prompts during diagnosis. Look for unrelated agent keys being offered before the key that should authenticate.

Retry with only the intended private key.
```
$ ssh -o IdentitiesOnly=yes -i ~/.ssh/id_ed25519_host_login user@host.example.net whoami
user
```
If this still returns Permission denied (publickey), the selected key is not trusted by the remote account or the wrong private key path was used.
Related: How to connect with SSH using a private key
Open the per-user OpenSSH client config.
```
$ nano ~/.ssh/config
```
Add a host block for the affected server.
```
Host host-login
  HostName host.example.net
  User user
  IdentityFile ~/.ssh/id_ed25519_host_login
  IdentitiesOnly yes
```
IdentitiesOnly yes is the line that stops unrelated agent identities from being offered for this host.
Related: How to set per-host SSH identity files in SSH config
Tool: SSH Config Snippet Generator
Restrict the config file and selected private key.
```
$ chmod 600 ~/.ssh/config ~/.ssh/id_ed25519_host_login
```
Private key files readable by other local users expose credentials and can be ignored by OpenSSH.
Related: How to fix the SSH unprotected private key file warning
Print the resolved client config for the alias.
```
$ ssh -G host-login
host host-login
user user
hostname host.example.net
port 22
##### snipped #####
identitiesonly yes
identityfile ~/.ssh/id_ed25519_host_login
```
ssh -G shows the final client settings after matching Host blocks and defaults.
Related: How to show SSH client configuration
Connect through the alias.
```
$ ssh host-login whoami
user
```
If the original error returns, check for an earlier matching Host block, a broader wildcard that sets another IdentityFile, or agent keys that should be removed from the current session.
Related: How to remove SSH keys from ssh-agent

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.