The following is the error I am getting:
no matching mac found: client hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160#openssh.com,hmac-sha1-96,hmac-md5-96 server hmac-sha2-512-etm#openssh.com,hmac-sha2-256-etm#openssh.com,umac-128-etm#openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128#openssh.com
I have struggled to this problem for decent time before understanding the basics and root cause. Sharing the experience so it can help someone.
I was trying to ssh to a target server and getting error like below
$ ssh -A <someTargetServerNameOrIP>
Unable to negotiate with XX.XX.XX.XX port 1234: no matching MAC found.
Their offer:
hmac-sha2-512-etm#openssh.com,hmac-sha2-256-etm#openssh.com,
umac-128-etm#openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128#openssh.com
The root cause of this error is on your source machine the supported MAC doesnt contain the MAC from target server.
to see this run in command line on your machine
$ ssh -Q mac # output would be something like
hmac-sha1
hmac-sha1-96
hmac-sha2-256
hmac-sha2-512
hmac-md5
hmac-md5-96
umac-64#openssh.com
umac-128#openssh.com
So now in order to connect to target server with their choice of mac which your server doesn't support you have to explicitly provide one of the mac supported by target server. For e.g. we take hmac-sha2-512 from the error message and try to connect, and it will be connected
$ ssh -m hmac-sha2-512 -A <someTargetServerNameOrIP>
Another variant of the problem is the mismatch in cipher which looks like below
$ ssh -A <someTargetServerNameOrIP>
Unable to negotiate with XX.XX.XX.XX port 1234: no matching cipher found.
Their offer: aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
The root cause is mismatch of cipher
Check your supported cipher by
$ ssh -Q cipher # output would be something like
3des-cbc
aes256-cbc
rijndael-cbc#lysator.liu.se
aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm#openssh.com
aes256-gcm#openssh.com
So now in order to connect to target server with their choice of cipher which your server doesnt support you have to explicitly provide one of the cipher supported by target server. For e.g. we take aes128-cbc from the error message and try to connect, and it will be connected
$ ssh -c aes128-cbc -A <someTargetServerNameOrIP>
More details on this can be found
https://diego.assencio.com/?index=688f3a536f63c43566c94f0818d9ecf3
Hope this helps someone.
You are getting this error because the client and the server could not agree upon a hashing algorithm for message authentication code.
More information here:
https://blog.tinned-software.net/debug-ssh-connection-issue-in-key-exchange/
in centOS/RHEL 7 server while trying to access the server via TMA pulse secure tool and getting the below error on /var/log/secure
[root#rhellinuxserver ~]# cat /var/log/secure| grep -iE "no matching"
Aug 24 07:02:07 rhellinuxserver sshd[29958]: Unable to negotiate with 172.21.112.111 port 16899: no matching MAC found. Their offer: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,hmac-ripemd160,hmac-ripemd160#openssh.com [preauth]
Aug 24 07:15:24 rhellinuxserver sshd[30702]: Unable to negotiate with 172.21.112.111 port 33541: no matching MAC found. Their offer: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,hmac-ripemd160,hmac-ripemd160#openssh.com [preauth]
To fix the issue edit the sshd_config file as mentioned below
# cat -n /etc/ssh/sshd_config | grep -i MAcs
Find the line
MACs hmac-sha2-512-etm#openssh.com,hmac-sha2-256-etm#openssh.com,umac-128-etm#openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128#openssh.com
Replace it with
MACs hmac-sha1,hmac-sha1-96,hmac-md5,hmac-sha2-512-etm#openssh.com,hmac-sha2-256-etm#openssh.com,umac-128-etm#openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
This will add following extra MACs algorithms.
hmac-sha1,hmac-sha1-96,hmac-md5,hmac-ripemd160
Restart the SSHD service now
systemctl restart sshd
now able to access the server find the success result in /var/log/secure log file.
cat /var/log/secure| grep -i Accepted
Aug 24 07:18:24 rhellinuxserver sshd[548]: Accepted password for username from 172.21.112.111 port 53776 ssh2
Important Note:
Do not use this two weak ciphers aes256-cbc & aes128-cbc
This may allow an attacker to recover the plaintext message from the ciphertext.
Disable CBC mode cipher encryption and enable CTR or GCM cipher mode encryption.
Below is the steps to disable SSH weak ciphers aes256-cbc & aes128-cbc
Step 1: Remove AES-128-CBC & AES-256-CBC on this file.
/etc/crypto-policies/state/CURRENT.pol
Step 2: Remove aes256-cbc & aes128-cbc on this file.
/etc/crypto-policies/back-ends/opensshserver.config
Step 3: Restart/Reload the sshd service
$ sudo systemctl restart sshd
$ sudo systemctl status sshd
Step 4: Now you can take the ssh connection without weak ciphers aes256-cbc & aes128-cbc
$ sudo ssh -vvv user-name#IP-Address
For more information's refer this CVE-2008-5161
Latest putty client solved the issue.
Related
Recently I had to get my hard drive replaced on my work machine and thus had to reconfigure everything. As a result I had to reinstall git bash. Before I was able to ssh fine into wpengine and now I cannot.
I am able to connect via the regular windows terminal fine but when I try with git bash I am getting the "Permission denied (publickey)." error for the same exact command.
I have tried all the suggested options from wpengine and in the different questions related to this on other SE questions and nothing is working.
I am using a Windows machine on windows 10.
Here are the following things I have tried:
Regenerating the key and adding it to my user public keys again and
then waiting 24 hours.
Adding the config details to the ssh_config file in C:\Program
Files\Git\etc\ssh
Adding a config file to my /User/username/.ssh/ folder.
I have tried using the following link and adding the wpengine rsa file: https://gist.github.com/jherax/979d052ad5759845028e6742d4e2343b as well.
Any and all help would be appreciated.
My guess is there is some kind of permissions issue going on the local machine?
Why would the request from git bash terminal to wpengine look different from windows command terminal?
I did solve my issue. If it helps you please use it!
When I used the command to the ssh host with : ssh -v user#environment.wpengine.ssh.net info
I got back this among the debug errors:
debug1: Offering public key: /c/Users/USERNAME/.ssh/KEY_FILENAME RSA XXXXXXXXXXXXXXXXXXXXX explicit
debug1: send_pubkey_test: no mutual signature algorithm
debug1: No more authentication methods to try.
user#environment.ssh.wpengine.net: Permission denied (publickey).
After finding this page:
https://transang.me/ssh-handshake-is-rejected-with-no-mutual-signature-algorithm-error/
I was able to solve the issue by adding the line:
PubkeyAcceptedAlgorithms +ssh-rsa to my ssh config file.
Honestly I am not even 10% certain on WHY this worked, however, it solved my problem.
How To Connect with SSH In WPEngine
If you are having trouble connecting to SSH in WPEngine Following are the commands which I used:
ssh-keygen -t rsa -b 4096 -f c:/users//.ssh/wpengine_rsa
Add Fingerprint in WPEngine My Profile – SSH
Add Config file
Host *.ssh.wpengine.net
IdentityFile ~/.ssh/wpengine_rsa
IdentitiesOnly yes
Connect with your wordpress website (windows command prompt)
ssh environment#environment.ssh.wpengine.net
I was configuring my SNMP agent on a Linux machine, below is the user-defined settings which I have included in the default snmpd.conf settings.
rwuser bootstrap priv
rwuser prateek priv
createUser bootstrap SHA temp_password AES
I then restarted the SNMP service and then tried to perform SNMP GET on sysDescr OID and was able to perform is successful.
I then tried to same with snmpget CLI command,
snmpget -v 3 -u bootstrap -l authPriv -a SHA -x AES -A temp_password -X temp_password 127.0.0.1:161 1.3.6.1.2.1.1.1.0
but I get the below error.
Timeout: No Response from 127.0.0.1:161
NOTE: SNMP client and agent are running on same host.
Can anyone explain to me why I am unable to perform the same operation which I am able to perform using MIB browser?
The address 127.0.0.1 means you MUST be running the SNMPGET on the same system
as the agent, and you have not proven that.
Also, the error message should be "127.0.0.1:161", so either the edit is mistaken,
or the command is mistaken. Inconsistencies like this usually points to user error.
I'm using Git For Windows (not msys or GitHub) in my build server scripts. We have a self-hosted BitBucket repository with an SSH access key configured. I'm trying to do an initial clone in my build scripts via the command line and it is failing with an SSH error/
Here is my environment:
Windows Server 2012
Git For Windows 1.9.4
SSH key stored in %USERPROFILE%\.ssh
.ssh\config points to proper SSH key for my git server domain
my server is in my known_hosts file
SysInternals ProcMon shows that the ssh key is being checked during the clone operation
The same clone operation works using the Git Bash window that comes with Git for Windows. So this rules out an invalid key (I believe)
Here is the Loglevel DEBUG3 logging from SSH during the clone operation:
[exec] debug3: send packet: type 30
[exec] debug1: sending SSH2_MSG_KEX_ECDH_INIT
[exec] debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
[exec] debug3: receive packet: type 31
[exec] debug1: Server host key: ssh-rsa SHA256:K7Y..
[exec] debug3: put_host_port: [x.x.x.x]:7999
[exec] debug3: put_host_port: [xxxmyserverxxx.local]:7999
[exec] debug1: checking without port identifier
[exec] debug1: read_passphrase: can't open /dev/tty: No such device or address
[exec] Host key verification failed.
[exec] fatal: Could not read from remote repository.
[exec]
[exec] Please make sure you have the correct access rights
[exec] and the repository exists.
I can't tell if the "can't open /dev/tty" issue is the real deal breaker. I don't even know what /dev/tty would equate to inside of a Windows command window.
What's more frustrating is this exact type of operation succeeds on another repo I use with the same SSH key pair. I can see no difference in the configuration
read_passphrase: can't open /dev/tty: No such device or address is your deal breaker here. Git needs to get the password of your ssh key but cannot since it has no access to the tty (stdin). Are you running your git command from the Git Bash or from some other terminal?
As a workaround, you can create a passwordless ssh key and use that one instead. To get that working, in your Git Bash home directory, set something similar to this example:
$ ssh-keygen -b 4096 -t rsa -N "" -f "${HOME}/.ssh/id_rsa_passwordless"
$ cat <<EOF >>.ssh/config
Host github.com
HostName github.com
IdentityFile ~/.ssh/id_rsa_passwordless
EOF
Of course, it is better that you use an SSH key with a password under Git Bash, but at least you have a workaround.
I've installed os x server (Mavericks) on my mac and would like to add bot. For some reasons my remote repo is located on other external server and I have access to it by username and password on specified port. I've added remote repo to os x server like this:
ssh://1.2.3.4:PORT/path/to/repo.git
...filled username and password.
Then I've added bot in Xcode but when I hit integrate it fails with logs:
Cloning into 'ssh_myusername_1_2_3_4_PORT_path_to_repo_git'...
OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011 debug1: Reading
configuration data /etc/ssh_config debug1: /etc/ssh_config line 20:
Applying options for * debug1: Connecting to 1.2.3.4 [1.2.3.4] port PORT.
debug1: Connection established.
Could not create directory '/var/teamsserver/.ssh'.
debug1: identity file /var/teamsserver/.ssh/id_rsa type -1
debug1: identity file /var/teamsserver/.ssh/id_rsa-cert type -1
debug1: identity file /var/teamsserver/.ssh/id_dsa type -1
debug1: identity file /var/teamsserver/.ssh/id_dsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.0p1 Debian-3ubuntu1
debug1: match: OpenSSH_6.0p1 Debian-3ubuntu1 pat OpenSSH*
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA b6:b8:0e:e4:25:63:6d:64:a3:d6:6d:7f:46:85:72:0d
debug1: checking without port identifier No RSA host key is known for [1.2.3.4]:PORT
and you have requested strict checking. Host key verification failed.
fatal: Could not read from remote repository.
Please make sure you have the correct access rights and the repository
exists.
SSH Known Hosts file path is located at
/Library/Server/Xcode/Config/ssh_known_hosts
SSH strict host checking
is enabled (you can disable this by editing the
SSHStrictHostKeyChecking key in
/Library/Server/Xcode/Config/xcsbuildd.plist
Untrusted HTTPS
certificates is disabled (you can enable this by editing the
TrustSelfSignedSSLCertificates key in
/Library/Server/Xcode/Config/xcsbuildd.plist
I assume that there is a problem with permissions but in my /var there are some directories with different permissions and of course there is no teams server folder...
So I don't know how to setup proper permissions (without changing permissions of other subdirectories of /var...). I can try manually make directory "teams server" but don't know with what permissions... ? Do you have any ideas?
EDIT: For test purpose I've created teamsserver directory with 777 but that doesn't solve my problem. Logs looks the same as previous butjust WITHOUT line:
Could not create directory '/var/teamsserver/.ssh'.
Any ideas?
Thanks
I experienced a similar issue with scheme action build scripts when attempting to run git commands against a github repo protected by ssh key pairs.
Bots run builds using a _teamsserver system account. As you've discovered, these accounts don't have home directories by default. To setup builds to access and modify their home directory, I had success with the following (your mileage may vary):
sudo mkdir /var/teamsserver
sudo chown -R _teamsserver:_teamsserver /var/teamsserver/
sudo chmod -R 770 /var/teamsserver/
HTH
Ok, I took some time but I've a solution... Two solutions actually. Ashamed to admit but read and understand logs is enough to solve the problem (again :P).
FIRST ANSWER:
My server host key was added to .ssh/known_hosts BEFORE installing os x server. Server does't use that path of known hosts. As log says server uses:
SSH Known Hosts file path is located at
/Library/Server/Xcode/Config/ssh_known_hosts
and that file was empty in my case. So to solve the problem it is enough to copy known_hosts to ssh_known_hosts:
sudo cp ~/.ssh/known_hosts /Library/Server/Xcode/Config/ssh_known_hosts
It's that simple.
SECOND ANSWER:
Acording to log again
SSH strict host checking is enabled (you can disable this by editing
the SSHStrictHostKeyChecking key in /Library/Server/Xcode/Config/xcsbuildd.plist
Change SSHStrictHostKeyChecking to false.
It's done again.
If you've tried the above and still are getting a permission denied error, you probably don't have the right permissions to that file/directory.
Who are you running as? $id
$ls -al the directory that the server is trying to read the id_rsa from (Probably similar to this path: Library/Server/Xcode/Data/BotRuns/BotRun-a28db5fc-1932-47a0-a528-f52c75e421e2.bundle/credentials/65885363-194e-454b-a3ce-56dcaaf5d3c9/id_rsa)
change ownership of that file ^^ ($sudo chown {#id} {#path})
I did 3 things to allow me to get past this, although I'm not sure which of them solved the problem:
Change all git repositories in my project to use the HTTPS rather than SSH (git) version of the url
Disabled SSHStrictHostKeyChecking as per the instructions from the source control log from the bot.
Enabled TrustSelfSignedSSLCertificates as per the same instructions from the log.
Also check out https://discussions.apple.com/thread/5586872 in case this is a problem for you.
I will back some of these items off and test when I have more time.
1) Run Git Bash (C:\Program Files (x86)\Git\bin\sh.exe --login)
$ ssh -v git#github.com
OpenSSH_4.6p1, OpenSSL 0.9.8e 23 Feb 2007
debug1: Reading configuration data /c/Users/Alexander Fedorov/.ssh/config
debug1: Applying options for github.com
debug1: Connecting to github.com [207.97.227.239] port 22.
debug1: Connection established.
...
Hi xpoft! You've successfully authenticated, but GitHub does not provide shell access.
...
Okay! ssh config reading well.
2) Run from cmd.exe
C:\Users\Alexander Fedorov>ssh.exe -v git#github.com
OpenSSH_4.6p1, OpenSSL 0.9.8e 23 Feb 2007
debug1: Connecting to github.com [207.97.227.239] port 22.
...
debug1: No more authentication methods to try.
Permission denied (publickey).
Nooo. ssh config file is missing...
How... how read config from ssh.exe?
What is probably missing is the user environment variable HOME.
If you launch your DOS session from the git-cmd.bat script packaged with msysgit, it should be defined, and you should see %HOME%\.ssh\id_rsa(.pub)
But from any other DOS windows, HOME isn't defined by default (HOMEPATH or USERPROFILE are).
See also "Fix msysGit Portable $HOME location" as an illustration (but you shouldn't need that workaround with recent versions of msysgit and its git-cmd.bat script)