Can't SSH without '-o MACs=hmac-md5' option for SSH



  • I can ssh into my server over openvpn if i use:

    ssh -o MACs=hmac-md5 192.168.1.10

    but without the -o MACs=hmac-md5 part ssh will not connect

    Any help would be appreciated!

    Thanks!


  • LAYER 8 Global Moderator

    what ssh client are you using and what pfsense version are you connecting too?

    can we see the output of -v (debug) when you try and connect if you using say openssh client.  If your using some other client how ever you can get to see the connection as its being made would be helpful.

    The did modify the ssh server security recently to provide for newer ciphers, etc.  I connect in via chacha20 for example

    debug1: kex: host key algorithm: ssh-ed25519
    debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit>compression: none
    debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit>compression: none</implicit></implicit>


  • Rebel Alliance Developer Netgate

    Also: What is "your server"?

    If the client is an OpenVPN client and the server is some other box (not pfSense) on your LAN, then the firewall would not have any sway over their protocol negotiation. If it works at all, it wouldn't be the firewall. If it's broken, it's on the client and/or server.


  • LAYER 8 Global Moderator

    Good catch, I took it pfsense was the server - but yeah now that I reread it, it could be a server behind pfsense that he is sshing too.  If that is the case then pfsense has nothing to do with it.


Log in to reply