Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-10200: CPS SSH gateway incorrectly calculates HMAC-SHA2-512

23 April,18 at 03:05 PM

Applies to: All version of Centrify Connector for Centrify Infrastructure Services

Problem:

When opening a ssh session using HMAC-SHA2-512 algorithm for calculating the MAC, the connection fails to establish due to incorrectly calculated MAC by the SSH gateway (Centrify Connector service).

To replicate, authorize a user to login with a privileged SSH account in CPS.
Connect to the SSH gateway with this account, using openssh ssh client.

Example for user 'dwirth@centrify.lab' that wants to access the privileged acount 'root@engcen6.centrify.lab', with the Centrify connector running on 'connector.centrify.lab' :

ssh -m hmac-sha2-512 -l root@engcen6.centrify.lab@dwirth@centrify.lab connector.centrify.lab

As soon as the authentication phase has finished, the connection fails and the following error will be shown:

Corrupted MAC on input.
ssh_dispatch_run_fatal: Connection to <IP of connector service> port 22: message authentication code incorrect

The same error occurs with the other commercial SSH session manager, which tries to use hmac-sha2-512 by default if advertised by the SSH server, and will abort the connection attempt when that fails.

Explanation:

We use connector as the jump box which has both SSH Gateway and SSH Client. The flow for the ssh connection is as follows.

1. Open SSH Client (E.g. Putty) -> SSH Gateway(Connector)
2. SSH Client (Connector) -> Open SSH Server (E.g. Ubuntu)

If the mac algorithm negotiated for #1 is hmac-sha2-512 and for #2 is lower (hmac-sha1 and hmac-sha2-256), this is not working (HMAC mismatch)

if the mac algorithm for #1 and #2 is same, this will work.


Workaround:

In this case, as a workaround force the Open SSH Server to use on only hmac-sha2-512, it will work.

    Open /etc/ssh/sshd_config
    Add or update:

    MACs hmac-sha2-512

    Restart Open SSH Server

Resolution:

Engineering will provide fix in future release.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.