ssh multiple identities -fix- “Too many authentication failures for { username }”

So; you regularly use ssh to connect to a few different hosts – using different private keys for each user/server combination.

Your  ~/.ssh/ directory already has a few named private keys in it – you add a couple, bring the total to 5 or more…

ls ~/.ssh/
dave_mars.id_dsa
sue_deimos.id_dsa
steve_deimos.id_dsa
irene_phobos.id_dsa
lee_phobos.id_dsa
sue_mars.id_dsa
red_deimos.id_dsa

….and try connecting:

ssh -i .ssh/sue_mars.id_dsa -l sue mars

You’re denied, with an error like:

Received disconnect from {mars' IP address} 2: Too many authentication failures for sue.

Which is confusing;  this may be the first time you’ve tried connecting to phobos with sue’s account.

Add the verbose switch to you ssh command:

ssh -v -i .ssh/sue_phobos.id_dsa -l sue phobos

You’ll see this at the end of the negotiation:

debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: .ssh/dave_mars.id_dsa
debug1: Authentications that can continue: publickey
 debug1: Offering RSA public key: .ssh/sue_deimos.id_dsa
debug1: Authentications that can continue: publickey
debug1: Offering RSA public key: .ssh/steve_deimos.id_dsa
debug1: Authentications that can continue: publickey
 debug1: Offering RSA public key: .ssh/irene_phobos.id_dsa
debug1: Authentications that can continue; publickey
 debug1: Offering RSA public key: .ssh/lee_phobos.id_dsa
Received disconnect from {phobos' IP address}: 2: Too many authentication failures for sue

Your local ssh agent is offering any key it can find, pre-loaded and cached from the .ssh directory (prove this caching by moving the other named keys somewhere else on your system – they’ll still be offered). The -i flag is a more of a guideline or hint to the agent.

To force the ssh client to offer only the key specified by -i, use the

-o IdentitiesOnly=yes

option:

ssh -o IdentitiesOnly=yes -i .ssh/sue_phobos.id_dsa -l sue phobos

or:

ssh -o "IdentitiesOnly yes" -i .ssh/sue_phobos.id_dsa -l sue phobos

…you’re connected.