Improve error reporting in tsh ssh if the MFA API is unavailable

[espadolini]

This PR changes the error reporting when tsh ssh fails to connect to a target host if tsh was unable to determine if MFA was required. Currently, in almost all cases if the connection to the target host fails, the user will only see the error from the MFA ceremony, even if the ceremony failed due to reasons unrelated to the connectivity to the host, for example if a rate limit is being hit (perhaps due to #63549, for example).

ERROR: rate limit exceeded

Moreover, there's no way to get the error from the direct connection attempt, even with debug logging enabled.

After this PR, errors from the MFA ceremony of the trace.ConnectionProblem and trace.LimitExceeded kind are deprioritized and the error shown to the user is the one from the direct connection attempt:

ERROR: failed connecting to host foo: target host foo is offline or does not exist

If debug logging is enabled, the deprioritized error is shown in the logs:

2026-02-19T18:07:03.236+01:00 DEBU [CLIENT]    Failed to connect to node, returning direct connection error and ignoring MFA ceremony error mfa_error:[
ERROR REPORT:
Original Error: *client.MFARequiredUnknownError unable to determine if a MFA ceremony is required: rate limit exceeded
Stack Trace:
        github.com/gravitational/teleport/lib/client/cluster_client.go:810 github.com/gravitational/teleport/lib/client.PerformSessionMFACeremony
        github.com/gravitational/teleport/lib/client/cluster_client.go:515 github.com/gravitational/teleport/lib/client.(*ClusterClient).performSessionMFACeremony
        github.com/gravitational/teleport/lib/client/cluster_client.go:360 github.com/gravitational/teleport/lib/client.(*ClusterClient).SessionSSHKeyRing
        github.com/gravitational/teleport/lib/client/cluster_client.go:285 github.com/gravitational/teleport/lib/client.(*ClusterClient).SessionSSHConfig
        github.com/gravitational/teleport/lib/client/api.go:2182 github.com/gravitational/teleport/lib/client.(*TeleportClient).connectToNodeWithMFA
        github.com/gravitational/teleport/lib/client/api.go:2072 github.com/gravitational/teleport/lib/client.(*TeleportClient).ConnectToNode.func3
        runtime/asm_arm64.s:1447 runtime.goexit
User Message: unable to determine if a MFA ceremony is required: rate limit exceeded] trace_id:7b3028bd32056aebbd44f036f090c9a6 span_id:a0cac3cb37acc62a client/api.go:2120

ERROR REPORT:
Original Error: *trace.ConnectionProblemError failed connecting to host foo: target host foo is offline or does not exist
Stack Trace:
        github.com/gravitational/teleport/api/client/proxy/client.go:509 github.com/gravitational/teleport/api/client/proxy.(*Client).DialHost
        github.com/gravitational/teleport/lib/client/cluster_client.go:116 github.com/gravitational/teleport/lib/client.(*ClusterClient).DialHostWithResumption
        github.com/gravitational/teleport/lib/client/api.go:2058 github.com/gravitational/teleport/lib/client.(*TeleportClient).ConnectToNode.func2
        runtime/asm_arm64.s:1447 runtime.goexit
User Message: failed connecting to host foo: target host foo is offline or does not exist

Additionally, this PR tweaks the error message of the MFARequiredUnknownError wrapper to include a "unable to determine if a MFA ceremony is required" prefix.

Manual Test Plan

Test Environment

Control plane (cloud staging) and one node (ec2 linux arm64) running 18.7.2 release, local build of tsh with this PR (darwin arm64).

Test Cases

• The normal error display when tsh ssh hits a connection error while the auth API is rate limited (due to mass tsh ssh, for example) shows the error from the connection error rather than just "rate limit exceeded"
• Debug logging shows the deprioritized MFA error
• Per-session MFA errors are still shown when the MFA ceremony fails

[espadolini]

@hugoShaka @rudream ping

[espadolini]

@hugoShaka @rudream ping