Resolving “SSH Too Many Authentication Failures” Error in Vagrant Provisioning


2 views

When working with Vagrant provisioning scripts, you might encounter the frustrating "Too many authentication failures" error during SSH connections. This typically occurs when:

  • Your SSH client attempts too many key-based authentication attempts
  • The server-side MaxAuthTries limit is reached (default is usually 6)
  • SSH agent forwarding exposes multiple identities unnecessarily

From the debug output, we can see SSH is trying multiple keys in sequence:

debug2: key: /Users/ashleyconnor/.ssh/id_rsa (0x7fc212600540),
debug2: key: /Users/ashleyconnor/.ssh/bitbucket (0x7fc212600730),
debug2: key: /Users/ashleyconnor/.ssh/deployer (0x7fc212600a00),
debug2: key: /Users/ashleyconnor/.ssh/github (0x7fc212600c80),
debug2: key: /Users/ashleyconnor/.ssh/ash_ovh (0x7fc212601010),
debug2: key: /Users/ashleyconnor/.ssh/deployer_ovh (0x7fc2126011e0),

Before eventually failing with:

Received disconnect from 192.168.222.111: 2: Too many authentication failures for vagrant

1. Force Specific Identity File

Modify your SSH config to explicitly specify which key to use for Vagrant connections:

Host 192.168.222.*
  IdentitiesOnly yes
  IdentityFile /Users/ashleyconnor/.vagrant.d/insecure_private_key
  User vagrant

2. Ansible-Specific Fix

For Ansible provisioning, set these variables in your playbook or ansible.cfg:

[ssh_connection]
ssh_args = -o ControlMaster=auto -o ControlPersist=60s -o IdentitiesOnly=yes -o IdentityFile=/Users/ashleyconnor/.vagrant.d/insecure_private_key

3. Temporary SSH Agent Workaround

When debugging, you can temporarily clear loaded identities:

ssh-add -D  # Remove all identities from agent
ssh-add /Users/ashleyconnor/.vagrant.d/insecure_private_key  # Add only the needed key

The root cause is SSH's default behavior of trying all available keys. By using IdentitiesOnly yes, we tell SSH to only use the explicitly specified identity files. The Ansible-specific solution ensures provisioning uses the correct key from the start.

For production environments, consider setting up proper SSH config sections:

Host vagrant-*
  User vagrant
  IdentityFile ~/.vagrant.d/insecure_private_key
  IdentitiesOnly yes
  PreferredAuthentications publickey
  PasswordAuthentication no

Then reference these hosts in your Ansible inventory:

[vagrant]
vagrant-192.168.222.111

To confirm your configuration works, test with:

ssh -v -o IdentitiesOnly=yes -i /path/to/key vagrant@192.168.222.111

You should see SSH attempting only the specified key.

When running vagrant up followed by vagrant provision, many developers encounter the frustrating "Too many authentication failures" error from SSH. This typically happens when your system tries multiple SSH keys before finding the correct one for Vagrant authentication.

The issue stems from SSH's default behavior of trying all available identity files when authenticating. In your case, the debug output shows SSH attempting these keys in sequence:

debug2: key: /Users/ashleyconnor/.ssh/id_rsa
debug2: key: /Users/ashleyconnor/.ssh/bitbucket
debug2: key: /Users/ashleyconnor/.ssh/deployer
debug2: key: /Users/ashleyconnor/.ssh/github
debug2: key: /Users/ashleyconnor/.ssh/ash_ovh
debug2: key: /Users/ashleyconnor/.ssh/deployer_ovh

After several failed attempts, the remote server terminates the connection as a security measure.

Solution 1: Force Specific Identity File

Modify your SSH configuration to explicitly specify the Vagrant private key:

Host 192.168.222.*
  User vagrant
  IdentityFile /Users/ashleyconnor/.vagrant.d/insecure_private_key
  IdentitiesOnly yes

Solution 2: Configure Ansible to Use Correct Key

Add this to your Ansible configuration or playbook:

ansible_ssh_private_key_file: /Users/ashleyconnor/.vagrant.d/insecure_private_key
ansible_ssh_extra_args: '-o IdentitiesOnly=yes'

Solution 3: Temporary Workaround

For quick testing, you can temporarily remove other keys from SSH agent:

ssh-add -D
ssh-add /Users/ashleyconnor/.vagrant.d/insecure_private_key

After applying any solution, verify with:

ssh -v -i /Users/ashleyconnor/.vagrant.d/insecure_private_key vagrant@192.168.222.111

You should see SSH attempting only the specified key.

  • Replace the insecure default key with your own
  • Consider using SSH config inheritance
  • Set proper permissions (600) for private keys