Tuesday, June 21, 2016

macOS 10.12 Sierra - Corrupted MAC on input && No matching host key type

If you frequently SSH into network management devices, such as routers and switches, you may notice that in macOS 10.12, it doesn't work anymore.

There are two error message you'll need to fix:
- Unable to negotiate with X.X.X.X port 22: no matching host key type found. Their offer: ssh-dss
- Corrupted MAC on input. Connection to X.X.X.X closed by remote host.

Both errors are fixed by modifying the SSH config file. The fix follows:

In terminal, issue:       sudo nano /etc/ssh/ssh_config

Enter your password and hit enter

1. Scroll down until you see this line: 
         #   MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
2.  Delete the pound sign, which will un-comment that line and make it active.

3. Now scroll down to the bottom of the document and add this line:  
        HostkeyAlgorithms ssh-dss

4. Hold Control and hit X to exit, hit Y to save, and Enter to apply. 

That should do it!


  1. Hmm, this fix doesn't seem to work for me. I even rebooted (just in case...)

    1. I was also getting "Unable to negotiate with x.x.x.x port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1"

      Fixed by adding the HostKeyAlgorithms line and also a KexAlgorithms line:

      HostkeyAlgorithms ssh-dss
      KexAlgorithms diffie-hellman-group1-sha1

      Hope that helps somebody who may stumble across this post while searching for the solution.

    2. This just saved me a ton of time and aggravation!!

    3. Helped me!
      I needed ssh-rsa and KexAlgorithms diffie-hellman-group1-sha1

  2. This comment has been removed by the author.

  3. This comment has been removed by the author.

  4. Had to do `HostkeyAlgorithms ssh-dss,ssh-rsa` but this worked for me

  5. Also needed `HostkeyAlgorithms ssh-dss,ssh-rsa`

  6. Just upgraded to Sierra last night - and SSH keys broken. Before I go changing keys on all my servers — I'd like a workaround.

    Can't find much on the web. Your answer seemed clear - but doesn't seem to work.
    Still getting Skipping ssh-dss key /Users/Jeff/.ssh/id_key - not in PubkeyAcceptedKeyTypes

    I did
    sudo nano /private/etc/ssh/sshd_config
    added your lines above
    sudo launchctl stop com.openssh.sshd
    sudo launchctl start com.openssh.sshd

    but no luck.

    Any idea?

    1. Sounds like your public key is DSA, which has been depreciated. You're right to need to update, but as the workaround I would try:

      I would try this:
      sudo nano /etc/ssh/ssh_config (notice, it's SSH_config, not SSHD_config)
      add this to the bottom: PubkeyAcceptedKeyTypes ssh-dss
      save and exit nano
      Try to ssh again. You shouldn't need to restart the ssh daemon, changes should apply on exit of nano.

    2. ssh -oHostKeyAlgorithms=+ssh-dss admin@
      ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 user@legacyhost

  7. You are enabling old algorithms that have known vunerabilities - www.openssh.com/legacy.html.

  8. Thanks for the info!! I added each one and tested it. it was failing until I loaded all three lines with the ssh-rss part and now it works again!

  9. I truly appreciate all of your hard work; however, you have to understand not everyone is a techie. I tried to follow the instructions but you should put things in more of a layman language and you will get more followers. In the end, after trying everything here. I simply reset the SMC and was good. That means for the non-technical, attach the power cord, shut down your mac, hit shift+cntrl+option(alt)+power key at the same time until the power light blinks or changes color. Good luck!

  10. BTW ... the upgrade with this small solution fixed all of my latency or lagging issues. Wish all the creatives the best!

  11. I was frustrated out of my head until I figured it out finally!!! Really Apple???

  12. thanks for the solution. works great.

  13. Editing system-wide configurations is never a good idea, especially when you're doing it to globally enable insecure protocols. These things were not disabled on a whim.

    What you want to be doing is adding host-specific overrides to your personal config, found at ~/.ssh/config like this:

    Host legacyhost
    HostKeyAlgorithms +ssh-dss

  14. Thanks for this, real help.
    had to add both, HostkeyAlgorithms ssh-dss,ssh-rsa & KexAlgorithms diffie-hellman-group1-sha1

  15. Its working: I add:
    MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
    HostkeyAlgorithms ssh-dss,ssh-rsa
    KexAlgorithms diffie-hellman-group1-sha1

  16. Hi Chris
    even if you decide to use a systemwide configuration file, you really SHOULD use the option HostkeyAlgorithms +ssh-dss. This ALSO enables a login using the inferior DSS encryption algorithm. Your line without the '+' will ONLY allow the use of this inferior / insecure method of encryption, even when RSA actually is available and could be used. Hence, your original approach drills a security hole which you should fix in your text above.

  17. Thank-you!!! I have searched all over the internet for this fix! Why is this solution not more apparent (i.e. on Apple.support.com for instance) when googling "Unable to negotiate with port 22: no matching host key type found. Their offer: ssh-dss" ?!?!?!

  18. There is a reason why I bought a Mac, it was not to be one of the cool kids that wanted the best of the best. No it was because of the music production I do on it. Hours and hours sitting in front of my Mac copying, pasting, moving, deleting, hour after hour just beating on my Mac in a endless assault to get my work done. That is the key part, my work. I work from home, it is great, but even if it is from home it is still work and it still needs to get done. So my Mac, I have it because it is fast, gets the job done and comes back for more.

    But what happens when it doesn't want to do those things anymore?

    I move around massive amounts of information and yes even on the almighty Mac this can cause a problem after a while. Things fragment, programs get corrupted issues come up. My light speed Mac slows down to a crawl and all of the sudden I simply can not get any work done. Because I work from home there is no IT guy to call and ask to come fix it. No instead I have to figure out what is wrong. I am lucky, I did, but not after trying everything under the sun first and wasting countless hours looking for one program that can do what I needed instead of ten programs. One program to lead them all….okay that was a lame Lord of the rings reference, but that program was/is Detox My Mac. A simple to use program that did not just fix my issues, it put my Mac on overdrive again. A few clicks and my Mac was clean and ready to rock and roll again.

    Read more here:- http://detox-my-mac.com?98274rwehf78t34