When attempting to SSH into my AWS EC2 Ubuntu instance using the command:
ssh -i"/home/kona/.ssh/aws_kona_id" kona@server.akona.me -p22
The session immediately fails with:
Received disconnect from [IP address] port 22:2: Too many authentication failures
Running with verbose mode (-v) reveals important details:
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/kona/.ssh/aws_kona_id
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
Permission denied (publickey).
The issue typically occurs when:
- SSH agent has multiple identities loaded
- The server's MaxAuthTries setting is low
- Key permissions are incorrect
- The SSH client attempts too many authentication methods
1. Force Single Identity Authentication
The most reliable fix is to modify your SSH command:
ssh -o "IdentitiesOnly=yes" -i ~/.ssh/aws_kona_id kona@server.akona.me
2. Check Key File Permissions
Ensure proper permissions on your key files:
chmod 600 ~/.ssh/aws_kona_id
chmod 644 ~/.ssh/aws_kona_id.pub
chmod 700 ~/.ssh
3. Clear SSH Agent Identities
If using SSH agent, clear existing identities:
ssh-add -D
4. Temporary Workaround via AWS Console
When completely locked out:
- Stop the EC2 instance
- Detach the root volume
- Attach to another instance
- Modify authorized_keys and sshd_config
- Reattach and restart
For persistent issues, modify your client-side SSH config:
Host server.akona.me
HostName server.akona.me
User kona
IdentityFile ~/.ssh/aws_kona_id
IdentitiesOnly yes
PreferredAuthentications publickey
If you regain access, adjust server settings:
sudo nano /etc/ssh/sshd_config
# Set:
MaxAuthTries 6
MaxSessions 10
Then restart SSH service:
sudo systemctl restart sshd
- Verify key fingerprint matches:
ssh-keygen -lf ~/.ssh/aws_kona_id.pub - Check server logs:
sudo tail -f /var/log/auth.log - Test connection without agent:
ssh -o "IdentitiesOnly=yes" -i key user@host
Getting locked out of your own server through SSH is every developer's nightmare. The "Too many authentication failures" error can be particularly frustrating when you're trying to access your AWS EC2 instance. Here's what's happening and how to fix it.
The key error sequence looks like this:
Received disconnect from [IP address] port 22:2: Too many authentication failures
Disconnected from [IP address] port 22SSH servers have a built-in defense mechanism against brute force attacks. When multiple authentication attempts fail in quick succession (typically 5-6 attempts), the server will temporarily block further attempts. This is what you're seeing.
Here are several approaches to regain access:
1. Force Single Identity Attempt
Add -o IdentitiesOnly=yes to your SSH command to prevent SSH from trying all available keys:
ssh -o "IdentitiesOnly=yes" -i "/path/to/your/key.pem" user@host2. Temporarily Disable Other Keys
Move other identity files from your ~/.ssh directory:
mkdir ~/.ssh/disabled_keys
mv ~/.ssh/id_* ~/.ssh/disabled_keys/ # Keep only the key you want to use3. Modify Server Configuration
If you have AWS Systems Manager access, you can modify /etc/ssh/sshd_config:
sudo sed -i 's/MaxAuthTries .*/MaxAuthTries 10/' /etc/ssh/sshd_config
sudo systemctl restart sshd4. Use AWS Session Manager
When SSH fails completely, use AWS SSM to regain access:
aws ssm start-session --target instance-idAlways use -v flag for detailed debugging:
ssh -v -o "IdentitiesOnly=yes" -i "key.pem" user@hostConsider these preventive measures:
- Configure SSH config file with specific host settings
- Set up MFA for SSH access
- Use AWS Instance Connect as backup
- Maintain alternative access methods (console, SSM)
Being locked out of your server is stressful, but methodical troubleshooting will get you back in. Always maintain multiple access paths to critical infrastructure.