New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Corrupted MAC on input #2078
Comments
Based on https://serverfault.com/questions/994646/ssh-on-windows-corrupted-mac-on-input, run: |
Client and Server had negotiated the mac algorithm, So the way you say it is not feasible @tgauth
|
Could you still try the -m option explicitly? The error message is the same as in the link above, and that was the solution. hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com are also listed in Also, have you tried updating the server from OpenSSH 8.4 to a more current version? |
@tgauth It works when use By the way , why the algo umac-128-etm@openssh.com not work ? different implament between |
Great! It seems like this might be related to the crypto libraries used with each OpenSSH and their implementations of umac-128-etm@openssh.com - see #1359. Do you know if the server has FIPS enabled? |
I have installed the latest version OpenSSH_for_Windows_9.5p1, LibreSSL 3.8.2 and issue is still there when below macs are used. umac-128-etm@openssh.com To workaround, I have added the below to my %USERPROFILE%/.ssh/config file Host * or use the below command line option wen invoking ssh ssh -oMACs=hmac-sha2-256,hmac-sha2-512,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com username@server.com This has resolved the issue. Same works fine from putty, mac, Red Hat Linux 8 and 7 without any issues, so issue seems to be with Windows OpenSSH client. Hopefully it gets fixed eventually so no workaround is needed. |
We believe that the issue is coming from LibreSSL, specifically: libressl/portable#603. We will see if we can get any traction on the thread. |
Thanks for the update. Hopefully libressl version for windows can be fixed. I noticed this issue when i disabled chacha20-poly1305@openssh.com encryption algorithm on linux 8.9 server and windows / linux decided to use umac-128-etm@openssh.com to mitigate terrapin attack. |
I have experienced the same issue as @ket000 . Corrupted MAC on input. Version: Workaround: |
Reporting the same issue. ssh -V on client: @ket000 solution worked for me |
It seems to be confirmed now that the MAC algorithms |
having the same issue here on Oracle Linux 8 with openssh-server-8.0p1-19.el8_9.2.x86_64 (latest package available) "Corrupted MAC on input" with putty but fine with the ssh from windows cmd logs: i downgraded openssh-server to openssh-server-8.0p1-19.el8_8.x86_64 (dnf downgrade openssh-server) then it works |
This is a known issue since Redhat updated the openssh-server to newer version to resolve the terrapin vulnerability. The same is true for oracle linux 8. Oracle has pulled the offending version from their repo today Feb 5th 2024. To resolve the issue, Last command will make sure package cache is clean and no longer install the offending version. Reference links oracle/oracle-linux#125 Version that causes the issue : openssh-server-8.0p1-19.el8_9.2.x86_64 which makes below cipher not to work including putty 0.80 and other ubuntu servers chacha20-poly1305@openssh.com When you downgrade, all 3 packages will be updated to lower version : 8.0p1-19.el8_9.2 |
Error is still there. And Windows Server 2022 is affected "Feature OpenSSH" (OpenSSH_for_Windows_8.1p1, LibreSSL 3.0.2) We need a bugfixed version. |
Prerequisites
Steps to reproduce
sshd_config:
sshd_algorithms.conf
ssh output:
Expected behavior
ssh login success
Actual behavior
Error details
No response
Environment data
Version
OpenSSH_for_Windows_9.2p1, LibreSSL 3.7.2
Visuals
No response
The text was updated successfully, but these errors were encountered: