Git & SSH – Too many authentication failures

When recently setting up a new website on Pantheon, I ran into a problem with cloning the new site Git repo to my local computer.

$ git clone ssh://codeserver.dev.<UNIQUE-HASH>@codeserver.dev.<UNIQUE-HASH>.drush.in:2222/~/repository.git www -vvv
Cloning into 'www'...
Received disconnect from X.X.X.X port 2222:2: too many authentication failures
Disconnected from X.X.X.X port 2222
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

Thinking that I may have forgotten to setup my SSH access correctly, I double checked the following things:

1. ✅ That I had an SSH key on my computer for use with Pantheon.

   ls -la ~/.ssh
   --
   -r--------   1 jonathan  staff   1679 Feb  9  2017 pantheon

2. ✅ That I had uploaded that key to my Pantheon account
   

That all looked good, so I decided the problem I was running into was one I had faced before… too many ssh keys on my local computer.

Too Many SSH keys

If you work on a lot of servers for various reasons (clients), you may have a lot of SSH keys on your computer. This can easily lead to the problem I’m seeing due to the way that SSH servers can be setup vs how SSH clients attempt to authenticate with the servers. Here is the root of the problem:

• SSH servers are commonly setup to allow for a maximum number of attempted authentications before rejecting the attempt. I believe this setting for ssh servers is called “MaxAuthTries”, and the default value is 6 (don’t quote me on this, I am not a sysadmin expert).
• When attmpting to connect to an SSH server, if you have not told your SSH client specifically which key to use with the server, it will attempt to use all of your keys (one at a time) until it finds one that works.
• If the key you need to use for the server is attempted by your client after the MaxAuthTries as configured by the server, your client will never reach the correct key and will fail its authentication attempt.

Luckily this is an easy problem to fix. All we need to do is modify our SSH client configuration and tell it to always use the correct key with the specific server. This involvs editing a text file on your computer that is generally located within the same folder as your SSH keys.

Use a Specific SSH Key for a Specific SSH Server

Open your SSH configuration file in your favorite editor:

nano ~/.ssh/config

At the bottom of the file, add the following information:

# Pantheon
Host *.drush.in  
        PreferredAuthentications publickey
        IdentityFile ~/.ssh/pantheon
        Port 2222

This section tells your SSH client that anytime you’re connecting to a host that matches the pattern *.drush.in, use your SSH key named “pantheon”.

Save the file and close your editor. Now let’s try to clone that Git repository again.

git clone ssh://codeserver.dev.<UNIQUE-HASH>@codeserver.dev.<UNIQUE-HASH>.drush.in:2222/~/repository.git www -vvv

That should do it! Now you have a connection to the git repository/ssh server that knows to always use the correct ssh key on the first attempt, and doing so should avoid the “too many authentication failures” error.

References:

• Generating an SSH Key (best practices)
• Wildcard SSH config hostnames