How to resolve 'no matching mac found error' when I try to ssh

Daniel vijay Sundar picture Daniel vijay Sundar · Jul 24, 2018 · Viewed 48.4k times · Source

The following is the error I am getting: no matching mac found: client hmac-md5,hmac-sha1,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 server [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,[email protected]

Answer

Sanjay Bharwani picture Sanjay Bharwani · Oct 18, 2019

I have struggled to this problem for decent time before understanding the basics and root cause. Sharing the experience so it can help someone.

I was trying to ssh to a target server and getting error like below

$ ssh -A <someTargetServerNameOrIP>
Unable to negotiate with XX.XX.XX.XX port 1234: no matching MAC found.   
Their offer:   
[email protected],[email protected],
[email protected],hmac-sha2-512,hmac-sha2-256,[email protected]

The root cause of this error is on your source machine the supported MAC doesnt contain the MAC from target server.

to see this run in command line on your machine

$ ssh -Q mac   # output would be something like
hmac-sha1
hmac-sha1-96
hmac-sha2-256
hmac-sha2-512
hmac-md5
hmac-md5-96
[email protected]
[email protected]

So now in order to connect to target server with their choice of mac which your server doesn't support you have to explicitly provide one of the mac supported by target server. For e.g. we take hmac-sha2-512 from the error message and try to connect, and it will be connected

$ ssh -m hmac-sha2-512 -A <someTargetServerNameOrIP>

Another variant of the problem is the mismatch in cipher which looks like below

$ ssh -A <someTargetServerNameOrIP>       
Unable to negotiate with XX.XX.XX.XX port 1234: no matching cipher found.   
Their offer: aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc

The root cause is mismatch of cipher

Check your supported cipher by

$ ssh -Q cipher   # output would be something like
3des-cbc
aes256-cbc
[email protected]
aes128-ctr
aes192-ctr
aes256-ctr
[email protected]
[email protected]

So now in order to connect to target server with their choice of cipher which your server doesnt support you have to explicitly provide one of the cipher supported by target server. For e.g. we take hmac-sha2-512 from the error message and try to connect, and it will be connected

$ ssh -m aes128-cbc -A <someTargetServerNameOrIP>

More details on this can be found https://diego.assencio.com/?index=688f3a536f63c43566c94f0818d9ecf3

Hope this helps someone.