The error “Unable to negotiate with host port 22: no matching MAC found. Their offer: hmac-sha2-512,hmac-sha2-256” indicates that there’s a mismatch in the MAC (Message Authentication Code) algorithms supported by the client and the server during an SSH connection attempt.
In this article, we will share how to fix this issue.
How to fix no matching MAC found issue on Linux
Here’s how you can resolve this:
1. Update SSH (Optional): Before making any changes, ensure that both the client and the server are using the latest version of SSH. An updated version might support more algorithms.
For different Linux distributions, package management tools and sometimes package names differ.
Here’s how you can upgrade openssh-server and openssh-clients in some popular distributions:
Debian/Ubuntu (and derivatives):
sudo apt update
sudo apt upgrade openssh-server openssh-clients
Fedora:
sudo dnf update openssh-server openssh-clientss
CentOS/RHEL (7 and below):
sudo yum update openssh-server openssh-clients
CentOS/RHEL (8 and above):
sudo dnf update openssh-server openssh-clients
openSUSE:
sudo zypper refresh
sudo zypper up openssh
2. Modify the SSH Config: You can add the MAC algorithms offered by the server to your client’s SSH configuration.
– Open the SSH configuration file: vi ~/.ssh/config
– If this file doesn’t exist, you can create it.
– Add the following lines:
Host 10.254.244.3
MACs hmac-sha2-512,hmac-sha2-256
– Save and exit (in `vi`, press `esc`, press `:wq`, then exit vi ).
3. Connect Again: Try to connect again using SSH.
4. Server-side Configuration (Optional): If you have access to the server and wish to change the MAC algorithms it offers, you can modify the server’s SSHD configuration.
– Edit the SSHD configuration:
sudo vi /etc/ssh/sshd_config
– Find the `MACs` line. If it’s not there, you can add it. Modify it to:
MACs hmac-sha2-512,hmac-sha2-256
– Save and exit.
– Restart the SSHD service:
sudo service sshd restart
5. Ensure Security: While the above steps can help in establishing the connection, it’s crucial to ensure that any changes made do not compromise the security of the connection. Always use strong, secure algorithms and regularly review and update configurations as needed.
If you’ve made these changes and are still facing issues, double-check the algorithms supported by both the client and the server. Adjust configurations accordingly.