PAM seeing "Corrupted MAC on input" SSH error after upgrading

  • 7023366
  • 21-Sep-2018
  • 21-Sep-2018


Privileged Account Manager 3.2
Privileged Account Manager
Privileged Account Manager 3.5


After upgrading to PAM which introduces an upgraded OpenSSH (7.5p1) some ssh clients encounter a problem with connecting to the ssh-relay.

Something like, or similar to this will be seen, when using "ssh -vv ...":

debug1: rekey after 4294967296 blocks

debug2: key: /opt/CBKpwvc/.ssh/id_rsa (0)

debug2: key: /opt/CBKpwvc/.ssh/id_dsa (0)

debug2: key: /opt/CBKpwvc/.ssh/id_ecdsa (0)

debug2: key: /opt/CBKpwvc/.ssh/id_ed25519 (0)

debug3: send packet: type 5

Corrupted MAC on input.

Authentication failed.


On the ssh-relay server add the following to /opt/netiq/npum/service/local/sshrelay/etc/sshd_config:

MACs hmac-sha2-256,hmac-sha2-512,hmac-sha1,,,,,,,

This will make the sshd (ssh-relay) server tell the client that it would like to use the hmac-sha2-256 (preferably) and there after hmac-sha2-512, and so on. As the problem mac looks to be the "" the client should find a working mac before reaching these.

A quick solution could be to use the following:

# ssh -t -m hmac-sha1 -p 2222 <user>@<ssh-relay server>

This will make connection to the ssh-relay server using the hmac-sha1 MAC.


It is not fully clear why this happens, a search reveals that this is not only seen in combination with PAM, also it is not see with all clients.