Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-10200: CPS SSH gateway incorrectly calculates HMAC-SHA2-512

18 March,20 at 02:03 PM

Applies to: All version of Centrify Connector for Centrify Infrastructure Services


When opening a ssh session using HMAC-SHA2-512 algorithm for calculating the MAC, the connection fails to establish due to incorrectly calculated MAC by the SSH gateway (Centrify Connector service).

To replicate, authorize a user to login with a privileged SSH account in CPS.
Connect to the SSH gateway with this account, using openssh ssh client.

Example for user 'dwirth@centrify.lab' that wants to access the privileged acount 'root@engcen6.centrify.lab', with the Centrify connector running on 'connector.centrify.lab' :

ssh -m hmac-sha2-512 -l root@engcen6.centrify.lab@dwirth@centrify.lab connector.centrify.lab

As soon as the authentication phase has finished, the connection fails and the following error will be shown:

Corrupted MAC on input.
ssh_dispatch_run_fatal: Connection to <IP of connector service> port 22: message authentication code incorrect

The same error occurs with the other commercial SSH session manager, which tries to use hmac-sha2-512 by default if advertised by the SSH server, and will abort the connection attempt when that fails.


We use connector as the jump box which has both SSH Gateway and SSH Client. The flow for the ssh connection is as follows.

1. Open SSH Client (E.g. Putty) -> SSH Gateway(Connector)
2. SSH Client (Connector) -> Open SSH Server (E.g. Ubuntu)

If the mac algorithm negotiated for #1 is hmac-sha2-512 and for #2 is lower (hmac-sha1 and hmac-sha2-256), this is not working (HMAC mismatch)

if the mac algorithm for #1 and #2 is same, this will work.


In this case, as a workaround force the Open SSH Server to use on only hmac-sha2-512, it will work.

    Open /etc/ssh/sshd_config
    Add or update:

    MACs hmac-sha2-512

    Restart Open SSH Server