92

I'm running Mac OS X, and it appears that after SSHing to several machines, using identity files, my 'ssh-agent' builds up a lot of identity / keys and then sometimes offers too many to a remote machine, causing them to kick me off before connecting:

Received disconnect from 10.12.10.16: 2: Too many authentication failures for cwd

It's pretty obvious what's happening, and this page talks about it in more detail:

SSH servers only allow you to attempt to authenticate a certain number of times. Each failed password attempt, each failed pubkey/identity that is offered, etc, take up one of these attempts. If you have a lot of SSH keys in your agent, you may find that an SSH server may kick you out before allowing you to attempt password authentication at all. If this is the case, there are a few different workarounds.

Rebooting clears the agent and then everything works OK again. I can also add this line to my .ssh/config file to force it to use password authentication:

PreferredAuthentications keyboard-interactive,password

Anyhow, I saw the note on the page I referenced talking about deleting keys from the agent, but I'm not sure if that applies on a Mac since they appear to be cleared after reboot anyhow.

Is there a simple way to clear out all keys in the 'ssh-agent' (the same thing that happens at reboot)?

Peter Mortensen
  • 12,090
  • 23
  • 70
  • 90
cwd
  • 17,668
  • 42
  • 121
  • 159

2 Answers2

158

Your SSH keys should not get automatically added to the agent just because you SSH'ed to a server...

Run ssh-add -l to list the agent's keys, ssh-add -D to clean out all keys.

u1686_grawity
  • 426,297
  • 64
  • 894
  • 966
  • Maybe it has something to do with the OSX's config? If I type in `ssh-add -l` I get nothing. If I type in `ssh -i ~/keyFileLocation.dsa un@remotehost` I get an OS X popup dialog asking for the passphrase. I type it in and then it connects me. If I disconnect and then type `ssh-add -l` it shows me the identity I just used. After I restart the computer and type `ssh-add -l` it is blank again. `ssh-add -D` worked great to clear out the keys without restarting. Thanks! – cwd Apr 16 '11 at 17:57
  • 1
    Four years later and this still is an issue, but this fix still works--thank you – jnunn Apr 09 '15 at 02:40
  • Hey can you guide me for this please? http://superuser.com/questions/951002/ssh-agent-loses-identity-while-restart-machine – Niks Aug 05 '15 at 09:12
  • 8
    Wrong (in 2017): see the `AddKeysToAgent` configuration option, which is designed for the express purpose of adding your SSH keys to the agent just because you SSH'd to a server. – Resigned June 2023 Sep 19 '17 at 05:54
6

Another way to limit what keys are checked against is to add IdentitiesOnly yes to /.ssh/config and a list of entries

IdentityFile ~/.ssh/<nameofkey>

You may also add them to each Host entry:

Host server-name HostName <ipaddress> User <username> IdentityFile ~/.ssh/<nameofkey>

SSH Man Page has more options as well.

Leo Fisher
  • 160
  • 1
  • 6