MACs [email protected],[email protected],[email protected]
kexAlgorithms curve25519-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
CASignatureAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
HostbasedAcceptedKeyTypes [email protected],[email protected],[email protected]
HostKeyAlgorithms [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected]
PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,[email protected],[email protected],[email protected]
ssh output:
OpenSSH_for_Windows_9.2p1, LibreSSL 3.7.2
debug3: Failed to open file:C:\\XXX/.ssh/config error:2
debug3: Failed to open file:C:/ProgramData/ssh/ssh_config error:2
debug2: resolve_canonicalize: hostname x.x.x.x is address
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> 'C:\\XXX/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> 'C:\\XXX/.ssh/known_hosts2'
debug3: ssh_connect_direct: entering
debug1: Connecting to x.x.x.x [x.x.x.x] port 22.
debug1: Connection established.
debug1: identity file C:\\XXX/.ssh/id_rsa type 0
debug3: Failed to open file:C:\\XXX/.ssh/id_rsa-cert error:2
debug3: Failed to open file:C:\\XXX/.ssh/id_rsa-cert.pub error:2
debug3: failed to open file:C:\\XXX/.ssh/id_rsa-cert error:2
debug1: identity file C:\\XXX/.ssh/id_rsa-cert type -1
debug3: Failed to open file:C:\\XXX/.ssh/id_ecdsa error:2
debug3: Failed to open file:C:\\XXX/.ssh/id_ecdsa.pub error:2
debug3: failed to open file:C:\\XXX/.ssh/id_ecdsa error:2
debug1: identity file C:\\XXX/.ssh/id_ecdsa type -1
debug3: Failed to open file:C:\\XXX/.ssh/id_ecdsa-cert error:2
debug3: Failed to open file:C:\\XXX/.ssh/id_ecdsa-cert.pub error:2
debug3: failed to open file:C:\\XXX/.ssh/id_ecdsa-cert error:2
debug1: identity file C:\\XXX/.ssh/id_ecdsa-cert type -1
debug3: Failed to open file:C:\\XXX/.ssh/id_ecdsa_sk error:2
debug3: Failed to open file:C:\\XXX/.ssh/id_ecdsa_sk.pub error:2
debug3: failed to open file:C:\\XXX/.ssh/id_ecdsa_sk error:2
debug1: identity file C:\\XXX/.ssh/id_ecdsa_sk type -1
debug3: Failed to open file:C:\\XXX/.ssh/id_ecdsa_sk-cert error:2
debug3: Failed to open file:C:\\XXX/.ssh/id_ecdsa_sk-cert.pub error:2
debug3: failed to open file:C:\\XXX/.ssh/id_ecdsa_sk-cert error:2
debug1: identity file C:\\XXX/.ssh/id_ecdsa_sk-cert type -1
debug3: Failed to open file:C:\\XXX/.ssh/id_ed25519 error:2
debug3: Failed to open file:C:\\XXX/.ssh/id_ed25519.pub error:2
debug3: failed to open file:C:\\XXX/.ssh/id_ed25519 error:2
debug1: identity file C:\\XXX/.ssh/id_ed25519 type -1
debug3: Failed to open file:C:\\XXX/.ssh/id_ed25519-cert error:2
debug3: Failed to open file:C:\\XXX/.ssh/id_ed25519-cert.pub error:2
debug3: failed to open file:C:\\XXX/.ssh/id_ed25519-cert error:2
debug1: identity file C:\\XXX/.ssh/id_ed25519-cert type -1
debug3: Failed to open file:C:\\XXX/.ssh/id_ed25519_sk error:2
debug3: Failed to open file:C:\\XXX/.ssh/id_ed25519_sk.pub error:2
debug3: failed to open file:C:\\XXX/.ssh/id_ed25519_sk error:2
debug1: identity file C:\\XXX/.ssh/id_ed25519_sk type -1
debug3: Failed to open file:C:\\XXX/.ssh/id_ed25519_sk-cert error:2
debug3: Failed to open file:C:\\XXX/.ssh/id_ed25519_sk-cert.pub error:2
debug3: failed to open file:C:\\XXX/.ssh/id_ed25519_sk-cert error:2
debug1: identity file C:\\XXX/.ssh/id_ed25519_sk-cert type -1
debug3: Failed to open file:C:\\XXX/.ssh/id_xmss error:2
debug3: Failed to open file:C:\\XXX/.ssh/id_xmss.pub error:2
debug3: failed to open file:C:\\XXX/.ssh/id_xmss error:2
debug1: identity file C:\\XXX/.ssh/id_xmss type -1
debug3: Failed to open file:C:\\XXX/.ssh/id_xmss-cert error:2
debug3: Failed to open file:C:\\XXX/.ssh/id_xmss-cert.pub error:2
debug3: failed to open file:C:\\XXX/.ssh/id_xmss-cert error:2
debug1: identity file C:\\XXX/.ssh/id_xmss-cert type -1
debug3: Failed to open file:C:\\XXX/.ssh/id_dsa error:2
debug3: Failed to open file:C:\\XXX/.ssh/id_dsa.pub error:2
debug3: failed to open file:C:\\XXX/.ssh/id_dsa error:2
debug1: identity file C:\\XXX/.ssh/id_dsa type -1
debug3: Failed to open file:C:\\XXX/.ssh/id_dsa-cert error:2
debug3: Failed to open file:C:\\XXX/.ssh/id_dsa-cert.pub error:2
debug3: failed to open file:C:\\XXX/.ssh/id_dsa-cert error:2
debug1: identity file C:\\XXX/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_for_Windows_9.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.4p1 Debian-5
debug1: compat_banner: match: OpenSSH_8.4p1 Debian-5 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to x.x.x.x:22 as 'secur1ty'
debug3: record_hostkey: found key type ECDSA in file C:\\XXX/.ssh/known_hosts:5
debug3: load_hostkeys_file: loaded 1 keys from x.x.x.x
debug3: Failed to open file:C:\\XXX/.ssh/known_hosts2 error:2
debug1: load_hostkeys: fopen C:\\XXX/.ssh/known_hosts2: No such file or directory
debug3: Failed to open file:C:/ProgramData/ssh/ssh_known_hosts error:2
debug1: load_hostkeys: fopen __PROGRAMDATA__\\ssh/ssh_known_hosts: No such file or directory
debug3: Failed to open file:C:/ProgramData/ssh/ssh_known_hosts2 error:2
debug1: load_hostkeys: fopen __PROGRAMDATA__\\ssh/ssh_known_hosts2: No such file or directory
debug3: order_hostkeyalgs: prefer hostkeyalgs: [email protected],ecdsa-sha2-nistp256
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
debug2: host key algorithms: [email protected],ecdsa-sha2-nistp256,[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],rsa-sha2-512,rsa-sha2-256
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,[email protected],zlib
debug2: compression stoc: none,[email protected],zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
debug2: host key algorithms: ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctr
debug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256-ctr
debug2: MACs ctos: [email protected],[email protected],[email protected]
debug2: MACs stoc: [email protected],[email protected],[email protected]
debug2: compression ctos: none,[email protected]
debug2: compression stoc: none,[email protected]
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: aes128-ctr MAC: [email protected] compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: [email protected] compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:JQXEGbJuKdCsTF0b0Jksdzb8ipQYBD5i5toaqGnvKII
debug3: record_hostkey: found key type ECDSA in file C:\\XXX/.ssh/known_hosts:5
debug3: load_hostkeys_file: loaded 1 keys from x.x.x.x
debug3: Failed to open file:C:\\XXX/.ssh/known_hosts2 error:2
debug1: load_hostkeys: fopen C:\\XXX/.ssh/known_hosts2: No such file or directory
debug3: Failed to open file:C:/ProgramData/ssh/ssh_known_hosts error:2
debug1: load_hostkeys: fopen __PROGRAMDATA__\\ssh/ssh_known_hosts: No such file or directory
debug3: Failed to open file:C:/ProgramData/ssh/ssh_known_hosts2 error:2
debug1: load_hostkeys: fopen __PROGRAMDATA__\\ssh/ssh_known_hosts2: No such file or directory
debug1: Host 'x.x.x.x' is known and matches the ECDSA host key.
debug1: Found key in C:\\XXX/.ssh/known_hosts:5
debug3: send packet: type 21
debug2: ssh_set_newkeys: mode 1
debug1: rekey out after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: ssh_set_newkeys: mode 0
debug1: rekey in after 4294967296 blocks
debug3: ssh_get_authentication_socket_path: path '\\\\.\\pipe\\openssh-ssh-agent'
debug2: get_agent_identities: ssh_agent_bind_hostkey: invalid format
debug1: get_agent_identities: ssh_fetch_identitylist: agent contains no identities
debug1: Will attempt key: C:\\XXX/.ssh/id_rsa RSA SHA256:4HFB+dv5MV9gamIRyXzVFpiGnxyG9buP72FRX/CfGzA
debug1: Will attempt key: C:\\XXX/.ssh/id_ecdsa
debug1: Will attempt key: C:\\XXX/.ssh/id_ecdsa_sk
debug1: Will attempt key: C:\\XXX/.ssh/id_ed25519
debug1: Will attempt key: C:\\XXX/.ssh/id_ed25519_sk
debug1: Will attempt key: C:\\XXX/.ssh/id_xmss
debug1: Will attempt key: C:\\XXX/.ssh/id_dsa
debug2: pubkey_prepare: done
debug3: send packet: type 5
Corrupted MAC on input.
ssh_dispatch_run_fatal: Connection to x.x.x.x port 22: message authentication code incorrect
Expected behavior
Actual behavior
Corrupted MAC on input.
ssh_dispatch_run_fatal: Connection to x.x.x.x port 22: message authentication code incorrect
Error details
No response
Environment data
Name Value
---- -----
PSVersion 5.1.19041.2673
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.19041.2673
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1Version
OpenSSH_for_Windows_9.2p1, LibreSSL 3.7.2
Visuals
No response
Client and Server had negotiated the mac algorithm, So the way you say it is not feasible @tgauth
debug1: kex: server->client cipher: aes128-ctr MAC: [email protected] compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: [email protected] compression: none
Could you still try the -m option explicitly? The error message is the same as in the link above, and that was the solution.
[email protected],[email protected] are also listed in sshd_algorithms.conf, could you remove [email protected] and see if one of the other MACs works?
Also, have you tried updating the server from OpenSSH 8.4 to a more current version?
Or have you seen this issue with any other SSH clients aside from Windows OpenSSH 9.2?
@tgauth It works when use ssh -m [email protected] [email protected], thanks a lot .
By the way , why the algo [email protected] not work ? different implament between OpenSSH 8.4 and OpenSSH_for_Windows_9.2p1?
I have installed the latest version OpenSSH_for_Windows_9.5p1, LibreSSL 3.8.2 and issue is still there when below macs are used.
[email protected]
[email protected]
To workaround, I have added the below to my %USERPROFILE%/.ssh/config file
Host *
MACs=hmac-sha2-256,hmac-sha2-512,[email protected],[email protected]
or use the below command line option wen invoking ssh
ssh -oMACs=hmac-sha2-256,hmac-sha2-512,[email protected],[email protected] [email protected]
This has resolved the issue. Same works fine from putty, mac, Red Hat Linux 8 and 7 without any issues, so issue seems to be with Windows OpenSSH client. Hopefully it gets fixed eventually so no workaround is needed.
I have experienced the same issue as @ket000 .
Corrupted MAC on input.
ssh_dispatch_run_fatal: Connection to XXX.XXX.XXX.XXX port 22: message authentication code incorrect
Version:
OpenSSH_for_Windows_8.6p1, LibreSSL 3.4.3
Workaround:
ssh -m hmac-sha2-512 user@host
Reporting the same issue.
Corrupted MAC on input.
ssh_dispatch_run_fatal: Connection to * port 22: message authentication code incorrect
ssh -V on client:
OpenSSH_for_Windows_8.1p1, LibreSSL 3.0.2
server:
OpenSSH_8.0p1, OpenSSL 1.1.1k FIPS 25 Mar 2021
@ket000 solution worked for me
having the same issue here on Oracle Linux 8 with openssh-server-8.0p1-19.el8_9.2.x86_64 (latest package available)
"Corrupted MAC on input" with putty but fine with the ssh from windows cmd
logs:
Corrupted MAC on input. [preauth]
ssh_dispatch_run_fatal: Connection from 1.2.3.4 port 12345: message authentication code incorrect [preauth]
i downgraded openssh-server to openssh-server-8.0p1-19.el8_8.x86_64 (dnf downgrade openssh-server)
then it works
This is a known issue since Redhat updated the openssh-server to newer version to resolve the terrapin vulnerability. The same is true for oracle linux 8. Oracle has pulled the offending version from their repo today Feb 5th 2024.
To resolve the issue,
sudo dnf downgrade openssh-server
sudo dnf clean all
Last command will make sure package cache is clean and no longer install the offending version. Reference links
oracle/oracle-linux#125
https://access.redhat.com/security/cve/cve-2023-48795?cmdf=CVE-2023-48795+redhat
Version that causes the issue : openssh-server-8.0p1-19.el8_9.2.x86_64 which makes below cipher not to work including putty 0.80 and other ubuntu servers
[email protected]
aes128-ctr
aes192-ctr
aes256-ctr
When you downgrade, all 3 packages will be updated to lower version : 8.0p1-19.el8_9.2
openssh
openssh-clients
openssh-server
Error is still there.
No newer Version than v9.5.0.0p1-Beta (LibreSSL 3.8.2)
And Windows Server 2022 is affected "Feature OpenSSH" (OpenSSH_for_Windows_8.1p1, LibreSSL 3.0.2)
We need a bugfixed version.
