问题
The following is the error I am getting: no matching mac found: client hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 server hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
回答1:
You are getting this error because the client and the server could not agree upon a hashing algorithm for message authentication code.
More information here: https://blog.tinned-software.net/debug-ssh-connection-issue-in-key-exchange/
回答2:
I have struggled to this problem for decent time before understanding the basics and root cause. Sharing the experience so it can help someone.
I was trying to ssh to a target server and getting error like below
$ ssh -A <someTargetServerNameOrIP>
Unable to negotiate with XX.XX.XX.XX port 1234: no matching MAC found.
Their offer:
hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,
umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
The root cause of this error is on your source machine the supported MAC doesnt contain the MAC from target server.
to see this run in command line on your machine
$ ssh -Q mac # output would be something like
hmac-sha1
hmac-sha1-96
hmac-sha2-256
hmac-sha2-512
hmac-md5
hmac-md5-96
umac-64@openssh.com
umac-128@openssh.com
So now in order to connect to target server with their choice of mac which your server doesn't support you have to explicitly provide one of the mac supported by target server. For e.g. we take hmac-sha2-512 from the error message and try to connect, and it will be connected
$ ssh -m hmac-sha2-512 -A <someTargetServerNameOrIP>
Another variant of the problem is the mismatch in cipher which looks like below
$ ssh -A <someTargetServerNameOrIP>
Unable to negotiate with XX.XX.XX.XX port 1234: no matching cipher found.
Their offer: aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
The root cause is mismatch of cipher
Check your supported cipher by
$ ssh -Q cipher # output would be something like
3des-cbc
aes256-cbc
rijndael-cbc@lysator.liu.se
aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com
So now in order to connect to target server with their choice of cipher which your server doesnt support you have to explicitly provide one of the cipher supported by target server. For e.g. we take hmac-sha2-512 from the error message and try to connect, and it will be connected
$ ssh -m aes128-cbc -A <someTargetServerNameOrIP>
More details on this can be found https://diego.assencio.com/?index=688f3a536f63c43566c94f0818d9ecf3
Hope this helps someone.
回答3:
in centOS/RHEL 7 server while trying to access the server via TMA pulse secure tool and getting the below error on /var/log/secure
[root@rhellinuxserver ~]# cat /var/log/secure| grep -iE "no matching" Aug 24 07:02:07 rhellinuxserver sshd[29958]: Unable to negotiate with 172.21.112.111 port 16899: no matching MAC found. Their offer: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,hmac-ripemd160,hmac-ripemd160@openssh.com [preauth] Aug 24 07:15:24 rhellinuxserver sshd[30702]: Unable to negotiate with 172.21.112.111 port 33541: no matching MAC found. Their offer: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,hmac-ripemd160,hmac-ripemd160@openssh.com [preauth]
To fix the issue edit the sshd_config file as mentioned below
# cat -n /etc/ssh/sshd_config | grep -i MAcs
Find the line
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
Replace it with
MACs hmac-sha1,hmac-sha1-96,hmac-md5,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
This will add following extra MACs algorithms.
hmac-sha1,hmac-sha1-96,hmac-md5,hmac-ripemd160
restart the SSHD service now
systemctl restart sshd
now able to access the server find the success result in /var/log/secure log file.
cat /var/log/secure| grep -i Accepted Aug 24 07:18:24 rhellinuxserver sshd[548]: Accepted password for username from 172.21.112.111 port 53776 ssh2
回答4:
Latest putty client solved the issue.
来源:https://stackoverflow.com/questions/51501496/how-to-resolve-no-matching-mac-found-error-when-i-try-to-ssh