65

I've installed OpenSSH on Windows.

I can successfully connect to my remote server via ssh with Putty from this Windows machine.

But when opening a PowerShell, and trying

ssh [email protected]

I've got the error:

debug3: send packet: type 5 Corrupted MAC on input. ssh_dispatch_run_fatal: Connection to 1.2.3.4 port 22: message authentication code incorrect

When looking on my remote server in the secure logs, I've got:

Dec 7 03:20:22 allo-01 sshd[10102]: Connection from 4.3.2.1 port 49869 on 1.2.3.4 port 22 Dec 7 03:20:23 allo-01 sshd[10102]: Connection reset by 4.3.2.1 port 49869 [preauth]

Do you know what's wrong? Why my ssh command from openssl on windows behave differently from PuTTY?

Improve this question
3
  • Include the pem file to auth with? Commented Dec 10, 2019 at 22:52
  • 1
    The Windows OpenSSL is based on LibreSSL vs. hosts are probably running openssh based on openssl - hence the slight algo mismatch. Pity it fails to negotiate as it should. Commented Jul 10, 2020 at 7:23
  • refer to an open issue: github.com/PowerShell/Win32-OpenSSH/issues/2078 . This issue can be solved with Jake's suggestion. 1. use ssh -Q mac to list all the available algorithm. 2. find the algorithm your system (suppose it is the key file under C:\Users\<your login>\.ssh used by openSSH on your Windows OS) used or add all the possible algorithms may be used from the output of ssh -Q mac to the ssh command -m option, e.g.: ssh -m hmac-sha2-256,hmac-sha2-512,[email protected],[email protected] user_id@target_server Commented May 1, 2024 at 2:40

3 Answers 3

Reset to default
86

Raoul's answer to his own question is correct. I ran into the same issue and adding the correct algorithm name after the -m option works (in my case the option was -m hmac-sha2-512 to connect from PowerShell to a machine running Ubuntu 18.04).

I wasn't sure which algorithm to use, but you can list all the available ones by running:

ssh -Q mac

I selected one at random, tried it and the remote server returned saying that algorithm wasn't supported, but it handily told me which one's were so that I could amend my command. Using this command I could then ssh into the remote machine:

ssh -m hmac-sha2-512 <user_name>@<remote_address>

If you need to use scp too, the parameter is different:

scp -o MACs=hmac-sha2-512 <and the rest of your scp command>

You can add this to you ~/.ssh/config also:

Host name Hostname <fqdn> IdentityFile ~/.ssh/<key-file> User <username> MACs hmac-sha2-512
Improve this answer
4
  • 1
    I'm wondering why this is needed when connecting to a CentOS 7 host but it isn't needed on an Ubuntu 20.04 - both with same MACs configuration in sshd_config. Commented Aug 4, 2020 at 12:01
  • As @jake mentioned, ssh [email protected] -m hmac-sha2-512 This works Commented Feb 23, 2023 at 5:26
  • 1
    If you try to connect to the remote host using the ssh verbose (-v) param it will report back several options eg "Their offer: [email protected],[email protected],[email protected]" I went though this sub list until one worked, saves a bit of time going through the full list. Commented Dec 20, 2023 at 22:41
  • Even i faced this same issue. Is there anything wrong with my SSH client? Commented Jan 24, 2024 at 16:32
12

I tried many solutions that were available, but the below one worked.

Add "MACs hmac-sha2-512" to the SSH config file

Improve this answer
2
  • It's more convenient this way. It's possible to propose multiple MACs. In my case MACs hmac-sha2-512,[email protected] worked fine Commented Apr 5, 2024 at 11:28
  • And the SSH config file is .ssh/config in your home directory. You need to create it if not already present. Commented Jan 14 at 18:20
9

Well,

Corrupted MAC on input.

let me think about something wrong with my ethernet card.

Indeed, in ssh world, MAC means "message authentication code".

So, I resolve my issue by adding to my ssh command option -m with an accepectable algorithm by the remote.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.