Tuesday, June 21, 2016

macOS 10.12 Sierra - Corrupted MAC on input && No matching host key type

If you frequently SSH into network management devices, such as routers and switches, you may notice that in macOS 10.12, it doesn't work anymore.

There are two error message you'll need to fix:
- Unable to negotiate with X.X.X.X port 22: no matching host key type found. Their offer: ssh-dss
- Corrupted MAC on input. Connection to X.X.X.X closed by remote host.

Both errors are fixed by modifying the SSH config file. The fix follows:

In terminal, issue:       sudo nano /etc/ssh/ssh_config

Enter your password and hit enter

1. Scroll down until you see this line: 
         #   MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
2.  Delete the pound sign, which will un-comment that line and make it active.

3. Now scroll down to the bottom of the document and add this line:  
        HostkeyAlgorithms ssh-dss

4. Hold Control and hit X to exit, hit Y to save, and Enter to apply. 

That should do it!



24 comments:

  1. Hmm, this fix doesn't seem to work for me. I even rebooted (just in case...)

    ReplyDelete
    Replies
    1. I was also getting "Unable to negotiate with x.x.x.x port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1"

      Fixed by adding the HostKeyAlgorithms line and also a KexAlgorithms line:

      HostkeyAlgorithms ssh-dss
      KexAlgorithms diffie-hellman-group1-sha1

      Hope that helps somebody who may stumble across this post while searching for the solution.

      Delete
    2. This just saved me a ton of time and aggravation!!
      Thanks

      Delete
    3. Helped me!
      I needed ssh-rsa and KexAlgorithms diffie-hellman-group1-sha1

      Delete
  2. This comment has been removed by the author.

    ReplyDelete
  3. This comment has been removed by the author.

    ReplyDelete
  4. Had to do `HostkeyAlgorithms ssh-dss,ssh-rsa` but this worked for me

    ReplyDelete
  5. Also needed `HostkeyAlgorithms ssh-dss,ssh-rsa`

    ReplyDelete
  6. Just upgraded to Sierra last night - and SSH keys broken. Before I go changing keys on all my servers — I'd like a workaround.

    Can't find much on the web. Your answer seemed clear - but doesn't seem to work.
    Still getting Skipping ssh-dss key /Users/Jeff/.ssh/id_key - not in PubkeyAcceptedKeyTypes

    I did
    sudo nano /private/etc/ssh/sshd_config
    added your lines above
    sudo launchctl stop com.openssh.sshd
    sudo launchctl start com.openssh.sshd

    but no luck.

    Any idea?

    ReplyDelete
    Replies
    1. Sounds like your public key is DSA, which has been depreciated. You're right to need to update, but as the workaround I would try:

      I would try this:
      sudo nano /etc/ssh/ssh_config (notice, it's SSH_config, not SSHD_config)
      add this to the bottom: PubkeyAcceptedKeyTypes ssh-dss
      save and exit nano
      Try to ssh again. You shouldn't need to restart the ssh daemon, changes should apply on exit of nano.

      Delete
    2. ssh -oHostKeyAlgorithms=+ssh-dss admin@
      ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 user@legacyhost

      Delete
  7. You are enabling old algorithms that have known vunerabilities - www.openssh.com/legacy.html.

    ReplyDelete
  8. Thanks for the info!! I added each one and tested it. it was failing until I loaded all three lines with the ssh-rss part and now it works again!

    ReplyDelete
  9. I truly appreciate all of your hard work; however, you have to understand not everyone is a techie. I tried to follow the instructions but you should put things in more of a layman language and you will get more followers. In the end, after trying everything here. I simply reset the SMC and was good. That means for the non-technical, attach the power cord, shut down your mac, hit shift+cntrl+option(alt)+power key at the same time until the power light blinks or changes color. Good luck!

    ReplyDelete
  10. BTW ... the upgrade with this small solution fixed all of my latency or lagging issues. Wish all the creatives the best!

    ReplyDelete
  11. I was frustrated out of my head until I figured it out finally!!! Really Apple???

    ReplyDelete
  12. thanks for the solution. works great.

    ReplyDelete
  13. Editing system-wide configurations is never a good idea, especially when you're doing it to globally enable insecure protocols. These things were not disabled on a whim.

    What you want to be doing is adding host-specific overrides to your personal config, found at ~/.ssh/config like this:


    Host legacyhost
    HostKeyAlgorithms +ssh-dss

    ReplyDelete
  14. Thanks for this, real help.
    had to add both, HostkeyAlgorithms ssh-dss,ssh-rsa & KexAlgorithms diffie-hellman-group1-sha1

    ReplyDelete
  15. Its working: I add:
    MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
    HostkeyAlgorithms ssh-dss,ssh-rsa
    KexAlgorithms diffie-hellman-group1-sha1

    ReplyDelete
  16. Hi Chris
    even if you decide to use a systemwide configuration file, you really SHOULD use the option HostkeyAlgorithms +ssh-dss. This ALSO enables a login using the inferior DSS encryption algorithm. Your line without the '+' will ONLY allow the use of this inferior / insecure method of encryption, even when RSA actually is available and could be used. Hence, your original approach drills a security hole which you should fix in your text above.

    ReplyDelete
  17. Thank-you!!! I have searched all over the internet for this fix! Why is this solution not more apparent (i.e. on Apple.support.com for instance) when googling "Unable to negotiate with port 22: no matching host key type found. Their offer: ssh-dss" ?!?!?!

    ReplyDelete