Login/Register
How to resolve 'no matching mac found error' when I try to ssh
Asked Answered
opensshhmacsha1
M

4

15

The following is the error I am getting: no matching mac found: client hmac-md5,hmac-sha1,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 server [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,[email protected]

Maquette answered 24/7, 2018 at 14:43 Comment(0)
H
22

I have struggled to this problem for decent time before understanding the basics and root cause. Sharing the experience so it can help someone.

I was trying to ssh to a target server and getting error like below

$ ssh -A <someTargetServerNameOrIP>
Unable to negotiate with XX.XX.XX.XX port 1234: no matching MAC found.   
Their offer:   
[email protected],[email protected],
[email protected],hmac-sha2-512,hmac-sha2-256,[email protected]

The root cause of this error is on your source machine the supported MAC doesnt contain the MAC from target server.

to see this run in command line on your machine

$ ssh -Q mac   # output would be something like
hmac-sha1
hmac-sha1-96
hmac-sha2-256
hmac-sha2-512
hmac-md5
hmac-md5-96
[email protected]
[email protected]

So now in order to connect to target server with their choice of mac which your server doesn't support you have to explicitly provide one of the mac supported by target server. For e.g. we take hmac-sha2-512 from the error message and try to connect, and it will be connected

$ ssh -m hmac-sha2-512 -A <someTargetServerNameOrIP>

Another variant of the problem is the mismatch in cipher which looks like below

$ ssh -A <someTargetServerNameOrIP>       
Unable to negotiate with XX.XX.XX.XX port 1234: no matching cipher found.   
Their offer: aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc

The root cause is mismatch of cipher

Check your supported cipher by

$ ssh -Q cipher   # output would be something like
3des-cbc
aes256-cbc
[email protected]
aes128-ctr
aes192-ctr
aes256-ctr
[email protected]
[email protected]

So now in order to connect to target server with their choice of cipher which your server doesnt support you have to explicitly provide one of the cipher supported by target server. For e.g. we take aes128-cbc from the error message and try to connect, and it will be connected

$ ssh -c aes128-cbc -A <someTargetServerNameOrIP>

More details on this can be found https://diego.assencio.com/?index=688f3a536f63c43566c94f0818d9ecf3

Hope this helps someone.

Haplo answered 18/10, 2019 at 20:13 Comment(2)
This worked for me.Melancholy
it worked for me and I was able to update my ~/.ssh/config file to include the clause MACs hmac-ripemd160 to allow accessing the system without the -mAgamogenesis
L
7

You are getting this error because the client and the server could not agree upon a hashing algorithm for message authentication code.

More information here: https://blog.tinned-software.net/debug-ssh-connection-issue-in-key-exchange/

Lauro answered 24/7, 2018 at 14:47 Comment(2)
You might want to audit the settings of your ssh server with github.com/arthepsy/ssh-auditBeethoven
@Beethoven That project was abandoned. Here is a maintained fork.Ethelind
S
4

in centOS/RHEL 7 server while trying to access the server via TMA pulse secure tool and getting the below error on /var/log/secure

[root@rhellinuxserver ~]# cat /var/log/secure| grep -iE "no matching"
Aug 24 07:02:07 rhellinuxserver sshd[29958]: Unable to negotiate with 172.21.112.111 port 16899: no matching MAC found. Their offer: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,hmac-ripemd160,[email protected] [preauth]
Aug 24 07:15:24 rhellinuxserver sshd[30702]: Unable to negotiate with 172.21.112.111 port 33541: no matching MAC found. Their offer: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,hmac-ripemd160,[email protected] [preauth]

To fix the issue edit the sshd_config file as mentioned below

 # cat -n /etc/ssh/sshd_config | grep -i MAcs

Find the line

MACs [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,[email protected]

Replace it with

MACs hmac-sha1,hmac-sha1-96,hmac-md5,[email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,hmac-ripemd160

This will add following extra MACs algorithms.

hmac-sha1,hmac-sha1-96,hmac-md5,hmac-ripemd160

Restart the SSHD service now

 systemctl restart sshd

now able to access the server find the success result in /var/log/secure log file.

cat /var/log/secure| grep -i Accepted
Aug 24 07:18:24 rhellinuxserver sshd[548]: Accepted password for username from 172.21.112.111 port 53776 ssh2

Important Note:

Do not use this two weak ciphers aes256-cbc & aes128-cbc

This may allow an attacker to recover the plaintext message from the ciphertext.

Disable CBC mode cipher encryption and enable CTR or GCM cipher mode encryption.

Below is the steps to disable SSH weak ciphers aes256-cbc & aes128-cbc

Step 1: Remove AES-128-CBC & AES-256-CBC on this file.

/etc/crypto-policies/state/CURRENT.pol

Step 2: Remove aes256-cbc & aes128-cbc on this file.

/etc/crypto-policies/back-ends/opensshserver.config

Step 3: Restart/Reload the sshd service

$ sudo systemctl restart sshd
$ sudo systemctl status sshd

Step 4: Now you can take the ssh connection without weak ciphers aes256-cbc & aes128-cbc

$ sudo ssh -vvv user-name@IP-Address

For more information's refer this CVE-2008-5161

Shekinah answered 24/8, 2020 at 8:8 Comment(0)
R
-2

Latest putty client solved the issue.

Regulate answered 25/3, 2020 at 15:12 Comment(1)
Which version, was this issue mentioned in the release notes?Leboeuf

© 2022 - 2024 — McMap. All rights reserved.