最近在使用 ssh 连接远程服务器时, 出现了 “Too many authentication failures for xxxx” 的问题, 然而之前是可以正常登录的. 貌似服务器也没有做什么更改. 那是什么原因呢?


问题

在登录远程服务器时, 会出现如下提示:

1
2
3
Keyboard-interactive authentication is disabled to avoid man-in-the-middle attacks.
Received disconnect from 172.16.22.11 port 22:2: Too many authentication failures for xxx
Disconnected from 172.16.22.11 port 22

显示指定所用的公钥后, 仍旧不行. 在加上 -vvv 输出 debug 信息后, 发现 ssh 在登录时, 尝试了 ~/.ssh 下的所有密钥, 很不幸的是, 服务器用的密钥很靠后, 还没有尝试到该密钥就已经超出限制了.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
ssh th2 -vvv
OpenSSH_7.8p1, OpenSSL 1.1.0i-fips 14 Aug 2018
debug1: Reading configuration data /home/user/.ssh/config
debug1: /home/user/.ssh/config line 4: Applying options for *
debug1: /home/user/.ssh/config line 7: Deprecated option "cipher"
debug1: /home/user/.ssh/config line 111: Applying options for th2
debug1: Reading configuration data /etc/ssh/ssh_config
...
SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.
Please contact your system administrator.
Add correct host key in /home/user/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/user/.ssh/known_hosts:121
Password authentication is disabled to avoid man-in-the-middle attacks.
Keyboard-interactive authentication is disabled to avoid man-in-the-middle attacks.
...
debug2: key: /home/user/.ssh/ceph_rsa (0x55d8ec4dd860), agent
debug2: key: /home/user/.ssh/amito_rsa (0x55d8ec4d8c30), agent
debug2: key: aaaa (0xxxxxxxxxxxxx), agent
debug2: key: bbbb (0xxxxxxxxxxxxx), agent
debug2: key: cccc (0xxxxxxxxxxxxx), agent
debug2: key: dddd (0xxxxxxxxxxxxx), agent
debug2: key: /home/user/.ssh/xxxx ((nil)), explicit
...
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred:
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx /home/user/.ssh/eeee_rsa
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Offering public key: RSA SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx /home/user/.ssh/aaaa_rsa
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Offering public key: RSA SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx bbbb
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Offering public key: RSA SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx cccc
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Offering public key: RSA SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx eeee
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Offering public key: RSA SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ffff
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 1
Received disconnect from 172.16.22.11 port 22:2: Too many authentication failures
Disconnected from 172.16.22.11 port 22

原来 SSH 在登录时, 会依次尝试密钥, 直到找到一个能成功的. 然而 SSH 服务端会设置几次登录失败后就将其禁掉. 找到了原因, 解决方法也简单..

方法

一个简单的方法是将多的密钥移除, 但是密钥自有其存在的意义, 使用同一个密钥登录所有服务器也不现实. 另一个方法就是在 ~/.ssh/config 中指定使用的密钥, 并且加上 IdentitiesOnly=yes.

1
2
3
4
5
6
Host myhost
Hostname my_host_ip
User user
Port port
Identitiesonly=yes
Identityfile ~/.ssh/id_rsa

为简便, 可以对所有 host 都进行设置.

1
2
3
4
Host *
Serveraliveinterval 60
StrictHostKeyChecking no
Identitiesonly=yes