SSH connection fails in Bitvise after setup: no match for method mac algo

[alty-ir]

After running dnstm-setup with SSH tunnel user configuration, some SSH clients (notably Bitvise and some older clients) fail to connect with this negotiation error:

kex error: no match for method mac algo client->server

Observed cause:

• dnstm-setup runs sshtun-user configure during SSH setup.
• sshtun-user hardening may set MACs to ETM-only: hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
• Some clients offer: hmac-sha2-256,hmac-sha2-512,hmac-sha1
• No intersection causes handshake failure.

Expected:

• Keep strong defaults but allow practical compatibility with common clients.

Proposed fix:

• Add SHA2 fallback MACs (non-ETM) while keeping ETM first: hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
• Apply only when sshtun-user generated ETM-only line is detected.
• Validate sshd config before reload.

[SamNet-dev]

Fixed in commit ecbb36f.

The script now automatically detects ETM-only MACs set by sshtun-user configure and adds non-ETM SHA2 fallbacks:

MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512

ETM is still preferred (listed first), but clients like Bitvise that only support non-ETM can now connect.

The fix validates sshd_config with sshd -t before reloading, and auto-reverts if validation fails.

Update with:

curl -sO https://raw.githubusercontent.com/SamNet-dev/dnstm-setup/master/dnstm-setup.sh
sudo bash dnstm-setup.sh

If you already ran setup, just re-run the SSH user management to apply the fix:

sudo bash dnstm-setup.sh --users