Applies to: All version of Centrify Connector for Centrify Infrastructure Services
Problem:
When opening a ssh session using HMAC-SHA2-512 algorithm for calculating the MAC, the connection fails to establish due to incorrectly calculated MAC by the SSH gateway (Centrify Connector service).
To replicate, authorize a user to login with a privileged SSH account in CPS. Connect to the SSH gateway with this account, using openssh ssh client.
Example for user 'dwirth@centrify.lab' that wants to access the privileged acount 'root@engcen6.centrify.lab', with the Centrify connector running on 'connector.centrify.lab' :
As soon as the authentication phase has finished, the connection fails and the following error will be shown:
Corrupted MAC on input. ssh_dispatch_run_fatal: Connection to <IP of connector service> port 22: message authentication code incorrect
The same error occurs with the other commercial SSH session manager, which tries to use hmac-sha2-512 by default if advertised by the SSH server, and will abort the connection attempt when that fails.
Explanation:
We use connector as the jump box which has both SSH Gateway and SSH Client. The flow for the ssh connection is as follows.
1. Open SSH Client (E.g. Putty) -> SSH Gateway(Connector) 2. SSH Client (Connector) -> Open SSH Server (E.g. Ubuntu)
If the mac algorithm negotiated for #1 is hmac-sha2-512 and for #2 is lower (hmac-sha1 and hmac-sha2-256), this is not working (HMAC mismatch)
if the mac algorithm for #1 and #2 is same, this will work.
Resolution:
In this case, as a workaround force the Open SSH Server to use on only hmac-sha2-512, it will work.