Menu
The following is the error I am getting: no matching mac found: client hmac-md5,hmac-sha1,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 server [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,[email protected]
336
I have struggled to this problem for decent time before understanding the basics and root cause. Sharing the experience so it can help someone.
I was trying to ssh to a target server and getting error like below
$ ssh -A <someTargetServerNameOrIP>
Unable to negotiate with XX.XX.XX.XX port 1234: no matching MAC found.
Their offer:
[email protected],[email protected],
[email protected],hmac-sha2-512,hmac-sha2-256,[email protected]
The root cause of this error is on your source machine the supported MAC doesnt contain the MAC from target server.
to see this run in command line on your machine
$ ssh -Q mac # output would be something like
hmac-sha1
hmac-sha1-96
hmac-sha2-256
hmac-sha2-512
hmac-md5
hmac-md5-96
[email protected]
[email protected]
So now in order to connect to target server with their choice of mac which your server doesn't support you have to explicitly provide one of the mac supported by target server. For e.g. we take hmac-sha2-512 from the error message and try to connect, and it will be connected
$ ssh -m hmac-sha2-512 -A <someTargetServerNameOrIP>
Another variant of the problem is the mismatch in cipher which looks like below
$ ssh -A <someTargetServerNameOrIP>
Unable to negotiate with XX.XX.XX.XX port 1234: no matching cipher found.
Their offer: aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
The root cause is mismatch of cipher
Check your supported cipher by
$ ssh -Q cipher # output would be something like
3des-cbc
aes256-cbc
[email protected]
aes128-ctr
aes192-ctr
aes256-ctr
[email protected]
[email protected]
So now in order to connect to target server with their choice of cipher which your server doesnt support you have to explicitly provide one of the cipher supported by target server. For e.g. we take aes128-cbc from the error message and try to connect, and it will be connected
$ ssh -c aes128-cbc -A <someTargetServerNameOrIP>
More details on this can be found https://diego.assencio.com/?index=688f3a536f63c43566c94f0818d9ecf3
Hope this helps someone.
182
in centOS/RHEL 7 server while trying to access the server via TMA pulse secure tool and getting the below error on /var/log/secure
[root@rhellinuxserver ~]# cat /var/log/secure| grep -iE "no matching" Aug 24 07:02:07 rhellinuxserver sshd[29958]: Unable to negotiate with 172.21.112.111 port 16899: no matching MAC found. Their offer: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,hmac-ripemd160,[email protected] [preauth] Aug 24 07:15:24 rhellinuxserver sshd[30702]: Unable to negotiate with 172.21.112.111 port 33541: no matching MAC found. Their offer: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,hmac-ripemd160,[email protected] [preauth]
To fix the issue edit the sshd_config file as mentioned below
# cat -n /etc/ssh/sshd_config | grep -i MAcs
Find the line
MACs [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,[email protected]
Replace it with
MACs hmac-sha1,hmac-sha1-96,hmac-md5,[email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
This will add following extra MACs algorithms.
hmac-sha1,hmac-sha1-96,hmac-md5,hmac-ripemd160
restart the SSHD service now
systemctl restart sshd
now able to access the server find the success result in /var/log/secure log file.
cat /var/log/secure| grep -i Accepted Aug 24 07:18:24 rhellinuxserver sshd[548]: Accepted password for username from 172.21.112.111 port 53776 ssh2
30
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
