Tuesday, December 1, 2015

Working around Corrupted MAC on input. with Cygwin SSH

When connecting to some servers from Cygwin using ssh, the connection fails and I get this error:
Received disconnect from 1.2.3.4: 2: Corrupted MAC on input.

Looking at debug output, it seems like it is using "umac-64@openssh.com" as MAC algorithm. Forcing it to use something else works around the problem.

When using ssh directly, you can use this: (Other options should work as well, this one worked for me)
ssh -o 'MACs hmac-sha1-96' user@host
or
ssh -m hmac-sha1-96 user@host

When using rsync, you need to put one of the strings above in the --rsh parameter:
rsync --rsh="ssh -m hmac-sha1-96 user@host" :/remote-source /local-dest

A more permanent option is to add the setting to the ssh_config file. This is either /etc/ssh_config (affecting all users) or ~/.ssh/config.

A line using a modified set based on the defaults for my SSH version is:
MACs umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96

You can find the problematic MAC by running 
ssh -v user@host-that-disconnects-you 2>&1 | grep mac

Adding that as a line to ~/.ssh/config seems to be the easiest solution.