How to resolve 'no matching mac found error' when I try to ssh

openssh hmacsha1
Daniel vijay Sundar picture Daniel vijay Sundar · Jul 24, 2018 · Viewed 48.4k times · Source

The following is the error I am getting: no matching mac found: client hmac-md5,hmac-sha1,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 server [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,[email protected]

Answer

Sanjay Bharwani picture Sanjay Bharwani · Oct 18, 2019

I have struggled to this problem for decent time before understanding the basics and root cause. Sharing the experience so it can help someone.

I was trying to ssh to a target server and getting error like below 

$ ssh -A <someTargetServerNameOrIP>
Unable to negotiate with XX.XX.XX.XX port 1234: no matching MAC found.   
Their offer:   
[email protected],[email protected],
[email protected],hmac-sha2-512,hmac-sha2-256,[email protected]

The root cause of this error is on your source machine the supported MAC doesnt contain the MAC from target server.

to see this run in command line on your machine

$ ssh -Q mac   # output would be something like
hmac-sha1
hmac-sha1-96
hmac-sha2-256
hmac-sha2-512
hmac-md5
hmac-md5-96
[email protected]
[email protected]

So now in order to connect to target server with their choice of mac which your server doesn't support you have to explicitly provide one of the mac supported by target server. For e.g. we take hmac-sha2-512 from the error message and try to connect, and it will be connected

$ ssh -m hmac-sha2-512 -A <someTargetServerNameOrIP>

Another variant of the problem is the mismatch in cipher which looks like below

$ ssh -A <someTargetServerNameOrIP>       
Unable to negotiate with XX.XX.XX.XX port 1234: no matching cipher found.   
Their offer: aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc

The root cause is mismatch of cipher

Check your supported cipher by

$ ssh -Q cipher   # output would be something like
3des-cbc
aes256-cbc
[email protected]
aes128-ctr
aes192-ctr
aes256-ctr
[email protected]
[email protected]

So now in order to connect to target server with their choice of cipher which your server doesnt support you have to explicitly provide one of the cipher supported by target server. For e.g. we take hmac-sha2-512 from the error message and try to connect, and it will be connected

$ ssh -m aes128-cbc -A <someTargetServerNameOrIP>

More details on this can be found https://diego.assencio.com/?index=688f3a536f63c43566c94f0818d9ecf3

Hope this helps someone.

Related questions

Automatically enter SSH password with script

I need to create a script that automatically inputs a password to OpenSSH ssh client. Let's say I need to SSH into myname@somehost with the password a1234b. I've already tried... #~/bin/myssh.sh ssh myname@somehost a1234b ...…

Read More
Best way to use multiple SSH private keys on one client

I want to use multiple private keys to connect to different servers or different portions of the same server (my uses are system administration of server, administration of Git, and normal Git usage within the same server). I tried simply …

Read More
How do I remove the passphrase for the SSH key without having to create a new key?

I set a passphrase when creating a new SSH key on my laptop. But, as I realise now, this is quite painful when you are trying to commit (Git and SVN) to a remote location over SSH many times in …

Read More