SSH server connections not being accepted

#1

I’m trying to setup remote execution of a script on my Vero when my NAS boots, which was something I had working before a recent reinstall. I’ve added the NAS RSA public key to the Vero authorized keys, and now am getting the following error when attempting to make an SSH connection from the NAS.

no matching mac found: client hmac-md5 server hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

Can someone please advise whether this means that the SSH client on the NAS is out of date in some fashion, because it only supports hmac-md5, which the Vero SSH server isn’t supporting? I haven’t found anything specifically stating it’s an out of date message authentication code, but that’s the best understanding I have of everything I’ve read about SSH. I tried updating the SSH client on the NAS, but apt-get doesn’t appear to be present on there, and I can’t find anything on their wiki. Would it be wrong to try enabling hmac-md5 on the Vero SSH server?

0 Likes

#2

You NAS is trying to connect to the Vero using a wea/insecure HMAC that isn’t accepted by the Vero’s SSH server.

If you are running everything from within your LAN, then you can decide if you want to take a chance and configure the Vero to accept the insecure hash. Better still, if possible, change the NAS to use a more secure hashing algorithms.

Which would you prefer to do?

Edit: If you’re running SSH from a shell script/command line try adding -m hmac-sha2-256 to the line and see if that’s accepted by the NAS.

1 Like

#3

Thanks dill. Appreciate your putting into different words & confirming the vague understanding I had of the situation. Now sorted.

0 Likes

#4

Care to share what you did in the end?

0 Likes

#5

Hi,
Sorry to bump an oldish thread but I’m having the same problem and couldn’t figure out the solution from what has been posted already.

When I try to ssh into my Vero, the following error is returned:
no matching mac found: client hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 server hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

I tried this suggestion from dillthedog, I get the following error returned:
Unknown mac type 'hmac-sha2-256'

I’m not too worried about security as I’m working within my LAN, but if anybody could advise how to do either of the suggestions, I’d be grateful.
Thanks in advance.

0 Likes

#6

You forgot to tell us what you’re SSH-ing from. However, the client’s MAC list seems to be quite comprehensive.

Have you kept your Vero fully updated?

0 Likes

#7

Sorry I missed that!
I’m SSHing from terminal (mac)
I did a manual update this weekend so I thought I was up to date, but I see my version is October 2017.10-1. When I just scanned for updates now it downloaded about 30 items then gave the dialog box ‘There are no updates available’.

0 Likes

#8

What version of OS X are you running?

0 Likes

#9

That’s still current. The latest update is a bit late because of the upgrade to Debian stretch.

I don’t have a Vero, but on my Pi3, the allowed MACs are:

MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

However, my Vero3 is missing this line (plus a few others), so I can successfully SSH using -m hmac-sha1.

0 Likes

#10

Pretty old… this could be a problem - 10.7.5

I did also try on 10.11.? when I had my work computer with me this weekend, which also didn’t work though. I didn’t make a note of whether the error was the same.

0 Likes