no matching mac found Error while doing the SSH

Latest response

Im getting this error in production servers.
Please help to resolve this error.

[auser@node01 ~]$ ssh auser@node01
no matching mac found: client hmac-sha2-512,hmac-sha2-256 server hmac-sha1
[auser@node01 ~]$ 
[auser@node01 ~]$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.10 (Santiago)
[auser@node01~]$
[auser@node01 ~]$ ssh auser@node01 -vvv
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: mac_setup: found hmac-sha2-512
debug3: mac ok: hmac-sha2-512 [hmac-sha2-512,hmac-sha2-256]
debug2: mac_setup: found hmac-sha2-256
debug3: mac ok: hmac-sha2-256 [hmac-sha2-512,hmac-sha2-256]
debug3: macs ok: [hmac-sha2-512,hmac-sha2-256]
debug3: cipher ok: aes256-ctr [aes256-ctr,aes192-ctr,aes128-ctr]
debug3: cipher ok: aes192-ctr [aes256-ctr,aes192-ctr,aes128-ctr]
debug3: cipher ok: aes128-ctr [aes256-ctr,aes192-ctr,aes128-ctr]
debug3: ciphers ok: [aes256-ctr,aes192-ctr,aes128-ctr]
debug2: ssh_connect: needpriv 0
debug1: Connecting to node01 [XX.XX.XX.XX] port 22.
debug1: Connection established.
debug1: identity file /opt/apna/auser/.ssh/identity type -1
debug1: identity file /opt/apna/auser/.ssh/identity-cert type -1
debug1: identity file /opt/apna/auser/.ssh/id_rsa type -1
debug1: identity file /opt/apna/auser/.ssh/id_rsa-cert type -1
debug1: identity file /opt/apna/auser/.ssh/id_dsa type -1
debug1: identity file /opt/apna/auser/.ssh/id_dsa-cert type -1
debug1: identity file /opt/apna/auser/.ssh/id_ecdsa type -1
debug1: identity file /opt/apna/auser/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug3: Wrote 504 bytes for a total of 525
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes256-ctr,aes192-ctr,aes128-ctr
debug2: kex_parse_kexinit: aes256-ctr,aes192-ctr,aes128-ctr
debug2: kex_parse_kexinit: hmac-sha2-512,hmac-sha2-256
debug2: kex_parse_kexinit: hmac-sha2-512,hmac-sha2-256
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-sha1
debug2: kex_parse_kexinit: hmac-sha1
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
no matching mac found: client hmac-sha2-512,hmac-sha2-256 server hmac-sha1
[auser@node01 ~]$

Responses

It is telling you ssh can't agree a MAC (message authentication code) with the server you are connecting to. if you add -vvv to the ssh command it will tell you more about what is happening.

Thanks for your response. Please find below out put got with the -vvv. Any clue to overcome this issue ?

[auser@node01 ~]$ ssh auser@node01 -vvv
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: mac_setup: found hmac-sha2-512
debug3: mac ok: hmac-sha2-512 [hmac-sha2-512,hmac-sha2-256]
debug2: mac_setup: found hmac-sha2-256
debug3: mac ok: hmac-sha2-256 [hmac-sha2-512,hmac-sha2-256]
debug3: macs ok: [hmac-sha2-512,hmac-sha2-256]
debug3: cipher ok: aes256-ctr [aes256-ctr,aes192-ctr,aes128-ctr]
debug3: cipher ok: aes192-ctr [aes256-ctr,aes192-ctr,aes128-ctr]
debug3: cipher ok: aes128-ctr [aes256-ctr,aes192-ctr,aes128-ctr]
debug3: ciphers ok: [aes256-ctr,aes192-ctr,aes128-ctr]
debug2: ssh_connect: needpriv 0
debug1: Connecting to node01 [XX.XX.XX.XX] port 22.
debug1: Connection established.
debug1: identity file /opt/apna/auser/.ssh/identity type -1
debug1: identity file /opt/apna/auser/.ssh/identity-cert type -1
debug1: identity file /opt/apna/auser/.ssh/id_rsa type -1
debug1: identity file /opt/apna/auser/.ssh/id_rsa-cert type -1
debug1: identity file /opt/apna/auser/.ssh/id_dsa type -1
debug1: identity file /opt/apna/auser/.ssh/id_dsa-cert type -1
debug1: identity file /opt/apna/auser/.ssh/id_ecdsa type -1
debug1: identity file /opt/apna/auser/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug3: Wrote 504 bytes for a total of 525
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes256-ctr,aes192-ctr,aes128-ctr
debug2: kex_parse_kexinit: aes256-ctr,aes192-ctr,aes128-ctr
debug2: kex_parse_kexinit: hmac-sha2-512,hmac-sha2-256
debug2: kex_parse_kexinit: hmac-sha2-512,hmac-sha2-256
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-sha1
debug2: kex_parse_kexinit: hmac-sha1
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
no matching mac found: client hmac-sha2-512,hmac-sha2-256 server hmac-sha1
[auser@node01 ~]$

Does it work if you add -mhmac-sha1 to the ssh line? It looks like the system you are connecting to is configured only to use the insecure hmac-sha1 protocol for MAC (probably set in /etc/ssh/sshd_config) whereas your ssh client wants the more secure hmac-sha2-512 or hmac-sha2-256 protocols by default.

Yes, Michael is correct. This line tells you the mac key details being offered and available on both client and server side:

no matching mac found: client hmac-sha2-512,hmac-sha2-256 server hmac-sha1

Also, this line tells us that you both the systems involved in ssh connectivity are running same version of ssh :

debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3

You may try running the command "sshd -T|grep macs" on system to which you are trying to connect which would show what are the configured macs. Since you are unable to connect/ssh into that system, you may not be able to get this.