What you're seeing
$ ssh [email protected]
Received disconnect from 192.168.1.50 port 22:2: Too many authentication failures
Disconnected from 192.168.1.50 port 22You typically also see the server's "Permission denied" message immediately before this, suggesting the auth itself was wrong — but the actual issue is that the server gave up on the connection entirely.
What's causing this error
OpenSSH's default MaxAuthTries on the server side is 6. Each key your client offers counts as one attempt — even before you reach the right key. If ssh-agent is loaded with 8 keys and the right one is #7, the server kicks you after the 6th failed offer.
The four variants:
ssh-agenthas many keys loaded (most common). Common after years of accumulating keys for GitHub, AWS, work, side projects, etc.- You're using a config that doesn't specify
IdentityFile— so SSH tries every default key in~/.ssh/plus everything in the agent. - A jump host / ProxyJump amplifies the problem — the same key offers happen at every hop, multiplying failures.
- Server-side
MaxAuthTriesis set lower than default (rare but happens on hardened servers — sometimes 3).
How to fix it
Step 1: Confirm what's being offered
ssh -v [email protected] 2>&1 | grep "Offering"You'll see one line per key the client tries. If there are more than 5-6 lines, that's your problem.
Step 2: Restrict to a single key for that host
Two ways:
Quick one-off (command line):
ssh -i ~/.ssh/id_ed25519_correct -o IdentitiesOnly=yes [email protected]Both flags matter. -i alone adds a key to the list of offered identities — it doesn't replace them. IdentitiesOnly=yes tells SSH to ignore the agent and only try the specified key.
Permanent (recommended — ~/.ssh/config):
Host example.com
User myuser
IdentityFile ~/.ssh/id_ed25519_correct
IdentitiesOnly yesNow ssh example.com will use only that key, ignoring everything else in the agent. Same fix everywhere you connect, no flags to remember.
Step 3: Trim ssh-agent (optional but recommended)
If you commonly hit this across multiple servers, your agent is probably bloated. List what's loaded:
ssh-add -lRemove keys you don't actively use:
ssh-add -d ~/.ssh/key-i-no-longer-use
# Or nuke everything and add back only what you need:
ssh-add -D
ssh-add ~/.ssh/id_ed25519Step 4: Server-side fix (only if you control the server and the cause is something else)
If you genuinely need more than 6 attempts (rare — usually means something else is wrong), raise the server limit:
# /etc/ssh/sshd_config on the server
MaxAuthTries 10Restart sshd:
sudo systemctl restart sshBut this is a band-aid — the right fix is almost always to make your client offer fewer keys.
Common edge cases
| Situation | What's actually wrong |
|---|---|
| Works locally, fails through ProxyJump bastion | Each hop counts attempts independently — bastion may have a stricter MaxAuthTries. Apply IdentitiesOnly to both Host blocks. |
| Started after adding a key to GitHub | New GitHub key got auto-loaded into agent on next session start. Old SSH targets now exceed limit. |
IdentitiesOnly yes set but still failing | ~/.ssh/config has wildcard Host * block adding keys before your specific Host example.com block. SSH applies matching blocks top-to-bottom; the specific block must come first. |
ssh-add -l says "no identities" but verbose still shows offers | SSH is also trying default-named files (~/.ssh/id_rsa, ~/.ssh/id_ed25519, etc.) regardless of agent. IdentitiesOnly yes plus an explicit IdentityFile blocks them. |
Works once after ssh-add -D, then fails again | A keychain integration (macOS, GNOME Keyring) is re-adding keys on session start. Look for IdentityAgent directives or keychain integrations and disable for that host. |