My client is mac os x 10.9.5. I have a bastion host (linux) that I am ssh'ng into. I have agent forwarding working so I can ssh to the bastion host and then ssh into another machine without having to store my private key on the bastion.

My problem is I have hit 7 keys in my ssh store (ssh-add -L) on my client machine. When I try to use agent forwarding for machines with the 7th key, it fails for "Too many authentication failures for '. With -vvv on, I can see that in the send_pubkey_test that it gets to the 6th key offered and that is when it stops. 7th key is never offered up. Below is snippet of the 6th key and failure.

  • debug3: send_pubkey_test
  • debug2: we sent a publickey packet, wait for reply
  • debug1: Authentications that can continue: publickey
  • debug1: Offering RSA public key: xxxx.pem
  • debug3: send_pubkey_test
  • debug2: we sent a publickey packet, wait for reply
  • Received disconnect from 2: Too many authentication failures for ec2-user

I have tried various solutions but I must be missing something.

On client I am using a config file. In this the bastion host is set the following:

host jump01
  ForwardAgent yes
  Hostname www.example.com
  User some-user
  IdentityFile bastion.pem
  IdentitiesOnly yes

I have tried setting up the other servers in the client in the config file. Below is the example. When on the bastion server, I try ssh internal.IP and it fails "too many authentication:"

host internal.IP
  IdentityFile key.pem
  IdentitiesOnly yes

I have tried setting up a config on the bastion server to force it to use and identities file. But since I do not want my private key out there, this fails.

In addition, I tried taking the public key for the pem and copied it to the bastion server in the .ssh directory. Then used -i name.pub on the command line. This did not work. It seemed to treat the pub key as a pem.

My workaround is to write a script to load/delete the keys as I need them. I keep thinking for ssh agent forwarding, there must be a solution that I am missing.

Appreciate any guidance.

1 Answer 1


I would rather this be a comment on the question but I don't have the rep...

Why do you have 7 keys? I've seen people do this thinking it's more secure but it's not. If your client is compromised all keys are compromised. Maybe you have a legit reason but just want to make sure you're not creating more problems than you're solving.

  • This is a good point. I was thinking a different key per layer. So web layer would have a key, app layer a key... etc. This would have been under 6 keys but then there was a need for more tooling in one layer. I was thinking more of separation of duties. I need to do research in best practices for key management. I think I am stuck in the old school separation of duties thought process. This has helped me realize I might be doing the keys all wrong.
    – Zonirunner
    Commented Oct 6, 2014 at 20:15
  • 1
    There are reasons to have multiple keys. For example, you might have one key to control a set of instances at Amazon, another key for Google, etc. To manage multiple keys, it's best to put them in different files, but the Mac keystore seems to want to hold them all...
    – vy32
    Commented Nov 17, 2015 at 14:52

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .