The following lines were added (+) and removed (-):
You you look at the log entry you will find that there are three possible things that can go wrong during the authentication, assuming the user entered the correct username and password, that point to the problem being an incompatible cipher. In the log entry you will see a complaint like (snip) "...sshd[1528]: fatal: no matching mac found: client hmac-md5 server ...". Here the word "mac" is referenced, meaning a correct cipher was found but the mac "hmac-md5" which is displayed as simply "MD5" in CRT is not enabled on the server. The error entry in the log will reference one of three: no matching cipher, no matching mac, or Unable to negotiate a key exchange method. === log analysis ===To help you identify whether it is the cipher, mac, or KexAlgorithms which is not being accepted you can utilize the auth.log. Provided below is an example for each type of entry. If your problem is all three, then keep in mind that once the first fails, the other two will not appear in the log. So, if you correct the issue with the cipher, which was displayed in the log, then there still may remain other issues that have yet to appear in the log until you attempt the connection once again. Jan 01 01:31:24 servername sshd[1528]: fatal: no matching mac found: client hmac-md5 server umac-64-etm@openssh.com,umac- 128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh .com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]Indicates that the cipher is not supported. Correct this by enabling the cipher in /etc/ssh/sshd_config Jan 01 01:37:05 servername sshd[1538]: fatal: no matching mac found: client hmac-md5 server umac-64-etm@openssh.com,umac- 128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh .com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]Indicates that the mac is not supported. Correct this by enabling the mac in /etc/ssh/sshd_config Jan 01 01:39:26 servername sshd[1606]: fatal: Unable to negotiate a key exchange method [preauth]Indicates that the KexAlgorithm is not supported. Correct this by enabling the KexAlgorithm in /etc/ssh/sshd_configOnce all the legacy ciphers are enabled in /etc/ssh/sshd_config you must restart the sshd service. These legacy ciphers are not secure. Enabling them is only recommended on a server that is not directly connected to the Internet, only accessible from a secure LAN.[[Category:Computer_Technology]][[Category:Linux]]