HostOnNet Blog

CentOS 7 no matching mac found

On a new CentOS 7/CloudLinux server, i had to get CloudLinux license support, but for some reason CloudLinux support can’t login to my server. It worked fine on Ubuntu 16.04. CloudLinux support sent following log, asked me to check.

[17:41]divanov@sshbox:~$ ssh -v root@SERVER-IP-HERE
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /home/clsupport/.ssh/config
debug1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Executing proxy command: exec /usr/bin/sss_ssh_knownhostsproxy -p 22 SERVER-IP-HERE
debug1: permanently_drop_suid: 500
debug1: identity file /home/clsupport/.ssh/identity type -1
debug1: identity file /home/clsupport/.ssh/identity-cert type -1
debug1: identity file /home/clsupport/.ssh/id_rsa type 1
debug1: identity file /home/clsupport/.ssh/id_rsa-cert type -1
debug1: identity file /home/clsupport/.ssh/id_dsa type 2
debug1: identity file /home/clsupport/.ssh/id_dsa-cert type -1
debug1: identity file /home/clsupport/.ssh/id_ecdsa type -1
debug1: identity file /home/clsupport/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1
debug1: match: OpenSSH_6.6.1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
no matching mac found: client hmac-sha1,umac-64@openssh.com,hmac-ripemd160 server hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256

This is because CentOS 7 ssh server have removed some MAC for better security. But enabling them is fine for most.

This is fixed by editing

vi /etc/ssh/sshd_config

Find line

MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256

Replace it with

MACs hmac-sha1,hmac-sha1-96,hmac-md5,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160

This will add following extra MACs.

hmac-sha1,hmac-sha1-96,hmac-md5,hmac-ripemd160

Now restart SSHD with

service sshd restart

Posted in CentOS