cannot connect to sftp server - "Too many authentication failures for user"

[John]

Filezilla 3.5.1 cannot connect to sftp servers with either key based or password based methods. Logs with debuging/verbose=3 attached.

I have verified that this is not a function of my system by repeating on an independent box with the same results. As well, I am pretty sure that nothing is wrong with the server because I used "sftp -P 34451 facade@mars" from a shell and connect just fine. As well, using gftp, I am able to connect. The Host OS is Archlinux x86_64 which is up-to-date (Arch is a rolling release).

[John]

key-based log

[John]

password based log

[John]

I got it! Turns out that ~/.ssh/config was messing up FileZilla. I dunno why all of a sudden because I have been using my system with this config file for years. This file is formated like this:

Host github.com
  User facade
  IdentityFile /home/facade/.ssh/id_rsa_github_dot_com

Host mars
  User facade
  IdentityFile /home/facade/.ssh/id_rsa_mars

Host phobos
  User facade
  IdentityFile /home/facade/.ssh/id_rsa_phobos

Host deimos
  User facade
  IdentityFile /home/facade/.ssh/id_rsa_deimos

I read on the github wiki that one needs this file when dealing with multiple keys. Anyway, if I move ~/.ssh/config out of ~/.ssh, FileZilla works again. Apparently the github wiki is incorrect. I checked, and I am able to push to github without this file. Further, I am able to connect to all my hosts without this file. Problem solved - sorry for the false alarm.

[John]

Wait... this is NOT resolved. After a reboot I am back to the same behavior even omitting the ~/.ssh/config file!

[John]

I think the problem is that filezilla only tries 3 keys but I have 5 in my ~/.ssh.

Trace:   Trying Pageant key #0
Trace:   Server refused public key
Trace:   Trying Pageant key #1
Trace:   Server refused public key
Trace:   Trying Pageant key #2
Trace:   Received disconnect message (protocol error)
Trace:   Disconnection message text: Too many authentication failures for facade
Trace:   Server sent disconnect message
Trace:   type 2 (protocol error):
Trace:   "Too many authentication failures for facade"
Error:   Server sent disconnect message
Error:   type 2 (protocol error):
Error:   "Too many authentication failures for facade"
Trace:   CSftpControlSocket::ResetOperation(66)
Trace:   CControlSocket::ResetOperation(66)
Error:   Could not connect to server
Status:   Waiting to retry...

If I move all but the one that I need to another dir, filezilla connects as expected.

[John]

I think having filezilla read ~/.ssh/config to know which key to use would be needed here. Why just try all keys?

[Daniel Quinn]

+1 for having Filezilla parse ~/.ssh/config rather than just trying all the keys. The current behaviour breaks the convention of every other ssh-based connection and led me to believe I'd configured Filezilla wrong for weeks.

For now, a decent work around for people not wanting to kill their ssh agent, this works for me:

$ SSH_AUTH_SOCK=""; filezilla

Obviously this only disables the use of the agent, rather than teaching Filezilla how to work with it, but it gets the job done.

[Alexander Schuch]

This is a duplicate of #5480.

[klam0]

Please let me to disagree. I have more than 100 keys, do you think it's OK to bombard every single server I connect to with hundreds of keys when every single one of them are going to fail?

It is inconvenient, it is also a privacy issue: I don't want FileZilla to send every public key I own to anywhere I connect to (that's why I use "IdentitiesOnly yes" in SSH config, and create a separate keypair for every server I access, or sometimes just use a password w/o a key).

This IS a bug, at least please leave the issue open so some interested people who can code can see it and maybe solve the issue.

Thank you.

Edit: I meant to reopen #8232 but wrote the text in a wrong tab, sorry.

[AG3]

100% agree with this.

AG3

Replying to klam0:

Please let me to disagree. I have more than 100 keys, do you think it's OK to bombard every single server I connect to with hundreds of keys when every single one of them are going to fail?

It is inconvenient, it is also a privacy issue: I don't want FileZilla to send every public key I own to anywhere I connect to (that's why I use "IdentitiesOnly yes" in SSH config, and create a separate keypair for every server I access, or sometimes just use a password w/o a key).

This IS a bug, at least please leave the issue open so some interested people who can code can see it and maybe solve the issue.

Thank you.

Edit: I meant to reopen #8232 but wrote the text in a wrong tab, sorry.

[logtom]

I use "IdentitiesOnly yes" in SSH config, and create a separate keypair for every server I access.

Is there an easy way to tell filezilla to read my .ssh/config to figure out which key to use?

[George]

Linux Mint 20.3, FileZilla 3.65.0 and FileZilla Flatpak 3.60.1 identical issue.

Still have this problem, FileZilla tries every SSH key in ~/.ssh until

Response:	fzSftp started, protocol_version=11
Trace:	CSftpConnectOpData::ParseResponse() in state 0
Trace:	CControlSocket::SendNextCommand()
Trace:	CSftpConnectOpData::Send() in state 3
Command:	open "___@____" 55000
Trace:	Looking up host "_____" for SSH connection
Trace:	Connecting to _____ port 55000
Trace:	We claim version: SSH-2.0-FileZilla_3.65.0
Trace:	Connected to _____
Trace:	Remote version: SSH-2.0-OpenSSH_7.4
Trace:	Using SSH protocol version 2
Trace:	Doing ECDH key exchange with curve Curve25519 and hash SHA-256 (SHA-NI accelerated)
Trace:	Server also has ecdsa-sha2-nistp256/rsa-sha2-512/rsa-sha2-256/ssh-rsa host keys, but we don't know any of them
Trace:	Host key fingerprint is:
Trace:	ssh-ed25519 255 SHA256:_____
Trace:	Initialised AES-256 GCM outbound encryption
Trace:	Initialised AES256 GCM outbound MAC algorithm (in ETM mode) (required by cipher)
Trace:	Will enable zlib (RFC1950) compression after user authentication
Trace:	Initialised AES-256 GCM inbound encryption
Trace:	Initialised AES256 GCM inbound MAC algorithm (in ETM mode) (required by cipher)
Trace:	Will enable zlib (RFC1950) decompression after user authentication
Trace:	Pageant is running. Requesting keys.
Trace:	Pageant has 6 SSH-2 keys
Status:	Using username "_____". 
Trace:	Trying Pageant key #0
Trace:	Server refused our key
Trace:	Trying Pageant key #1
Trace:	Server refused our key
Trace:	Trying Pageant key #2
Trace:	Server refused our key
Trace:	Trying Pageant key #3
Trace:	Server refused our key
Trace:	Trying Pageant key #4
Trace:	Server refused our key
Trace:	Trying Pageant key #5
Trace:	Remote side sent disconnect message type 2 (protocol error): "Too many authentication failures"
Error:	FATAL ERROR: Remote side sent disconnect message
Error:	type 2 (protocol error):
Error:	"Too many authentication failures"
Trace:	Got eof from child process

Should have a way to specify a key to use, or to not attempt any keys.

FileZilla Client
----------------

Version:          3.65.0

Build information:
  Compiled for:   x86_64-pc-linux-gnu
  Compiled on:    x86_64-pc-linux-gnu
  Build date:     2023-07-10
  Compiled with:  gcc (Debian 8.3.0-6) 8.3.0
  Compiler flags:  -O2 -g -Wall -Wextra -pedantic -Wno-cast-function-type -ffunction-sections -fdata-sections

Linked against:
  wxWidgets:      3.2.1
  SQLite:         3.39.4
  GnuTLS:         3.8.0

Operating system:
  Name:           Linux 5.15.0-84-generic x86_64
  Version:        5.15
  CPU features:   sse sse2 sse3 ssse3 sse4.1 sse4.2 avx avx2 aes pclmulqdq rdrnd bmi bmi2 adx lm
  Settings dir:   /home/george/.config/filezilla/

[masscream]

+1, this limits ssh-agent users to use FileZilla at all...