Diagnosis and Resolution of 'no matching MAC found' Error in SSH Connections

Problem Phenomenon and Error Analysis

When establishing an SSH connection, users may encounter the following error message:

$ ssh -A <target-server>
Unable to negotiate with XX.XX.XX.XX port 1234: no matching MAC found.
Their offer:
hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,
umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

This error indicates that the SSH client and server have failed to negotiate a Message Authentication Code algorithm. MAC is used in the SSH protocol to ensure data integrity and authenticity during transmission, preventing data tampering.

Root Cause Investigation

The core cause of this error is that there is no overlap between the MAC algorithms supported by the client and those offered by the server. During SSH connection establishment, both parties exchange their supported algorithm lists. If no common algorithm is found, the connection fails.

To understand this issue, first check the MAC algorithms supported by your local system. Execute in the command line:

$ ssh -Q mac

This command will output results similar to:

hmac-sha1
hmac-sha1-96
hmac-sha2-256
hmac-sha2-512
hmac-md5
hmac-md5-96
umac-64@openssh.com
umac-128@openssh.com

Comparing with the server's algorithm list in the error message, you may find that the server uses newer algorithms like hmac-sha2-512-etm@openssh.com, while the client only supports older algorithms like hmac-sha1.

Solution Implementation

The direct solution to this problem is to explicitly specify a MAC algorithm that both parties support in the SSH command. From the server's offered algorithm list, choose one that the client also supports, such as hmac-sha2-512.

Use the -m parameter to specify the MAC algorithm:

$ ssh -m hmac-sha2-512 -A <target-server>

This will establish the SSH connection using the specified algorithm for message authentication.

Extended Discussion of Related Issues

Similar problems can occur during cipher negotiation. When client and server cipher lists don't match, you may encounter a 'no matching cipher found' error.

Check locally supported ciphers:

$ ssh -Q cipher

Output may include:

3des-cbc
aes256-cbc
rijndael-cbc@lysator.liu.se
aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com

If the server only offers older ciphers like aes128-cbc while the client only supports newer ones, negotiation will fail. The solution is similar, using the -c parameter to specify a compatible cipher:

$ ssh -c aes128-cbc -A <target-server>

The fundamental cause of these issues is algorithm incompatibility due to SSH protocol version or configuration differences. In practice, it's recommended to keep both client and server SSH versions updated to minimize such problems.

Deep Understanding of SSH Negotiation Mechanisms

Algorithm negotiation during SSH connection establishment is a critical step. Beyond MAC and cipher algorithms, this includes key exchange algorithms, compression algorithms, and more. Failure in any of these negotiations will interrupt the connection.

Understanding these mechanisms helps in comprehensively diagnosing SSH connection issues. For example, you can obtain detailed debugging information by adding -vvv parameters to observe each step of the negotiation process:

$ ssh -vvv <target-server>

This helps identify exactly which algorithm negotiation failed, enabling targeted solutions.

In practical system administration, regular SSH configuration checks are advised to ensure both clients and servers support adequate security algorithms while maintaining backward compatibility. For production environments, consider pre-specifying algorithm lists in SSH configuration files to avoid issues during temporary connections.