Ssh_dispatch_run_fatal: message authentication code incorrect

sftpsshssh-tunneling

Since a few days I'm facing an issue while being connected to my server in ssh, for proxy/tunel usage.

I – Setup

Client

Here is the machine :

iMac:~ Luca$ sw_vers

ProductName: Mac OS X

ProductVersion: 10.11.6

BuildVersion: 15G1108

iMac:~ Luca$ sudo sysctl net.inet.ip.forwarding

net.inet.ip.forwarding: 0

iMac:~ Luca$ sudo sysctl net.inet.ip.fw.enable

net.inet.ip.fw.enable: 1

Tried on three different network.

Browser

I'm using Firefox 50.0.1 to browse internet, with the FoxyProxy extension configured like so :

host address : 127.0.0.1

port : 9999

socks v5

SSH command

I'm using Terminal.app to connect in ssh to my server.

iMac:~ Luca$ ssh -p 53 -D 9999 luca@myIP

Server

luca@myServer:~$ ssh -V

OpenSSH_6.7p1 Debian-5+deb8u3, OpenSSL 1.0.1t 3 May 2016

luca@myServer:~$ cat /proc/sys/net/ipv4/ip_forward

1

II – Expected

Once the connection is open, I can browse any website without any issue (with my IP being my server one).

This was fine until a few days.
This is still fine if I try :

  • same server (A), another computer (Y)
  • same computer (X), another server (B)

From what it looks like, it doesn't work with my computer (X) and my server (A).

III – What happens

luca@myServer:~$ ssh_dispatch_run_fatal: Connection to myIP: message authentication code incorrect

The connection is then closed.

This message appears at random time. But I can reproduce it easily with a big data load through the proxy : load multiple videos, download big files, etc…

IV – Another way, similar problem

If I connect to my server through sftp:// (with FileZilla) with the same login (luca) and same port (53). Then I try to download a file, every <30 seconds I get the following error :

Error : Incorrect MAC received on packet

Once again, this happen only with my computer (X) and my server (A).
If I try another server (B) on the same computer (X) : no problem.
If I try the same server (A) on another computer (Y) : no problem.

V – What I've tried (and didn't fix)

  1. Reboot the server and the computer
  2. Restart ssh/sshd on both the server and the computer
  3. Delete the knowns_hosts file on the computer
  4. Specify a -m and -c with the ssh command
  5. Specify a -o GSSAPIKeyExchange=no within the ssh command
  6. Uncomment the Ciphers and/or MACs lines within /etc/ssh/ssh_config on the server or/and the computer
  7. Tried to look at -vvvvv option with the ssh command and read logs on server/computer, nothing looked related.

Any help would be appreciated.

APPENDIX

Server ssh -Q mac

luca@myServer:~$ ssh -Q mac
hmac-sha1
hmac-sha1-96
hmac-sha2-256
hmac-sha2-512
hmac-md5
hmac-md5-96
hmac-ripemd160
hmac-ripemd160@openssh.com
umac-64@openssh.com
umac-128@openssh.com
hmac-sha1-etm@openssh.com
hmac-sha1-96-etm@openssh.com
hmac-sha2-256-etm@openssh.com
hmac-sha2-512-etm@openssh.com
hmac-md5-etm@openssh.com
hmac-md5-96-etm@openssh.com
hmac-ripemd160-etm@openssh.com
umac-64-etm@openssh.com
umac-128-etm@openssh.com

Computer ssh -Q mac

iMac:~ Luca$ ssh -Q mac
hmac-sha1
hmac-sha1-96
hmac-sha2-256
hmac-sha2-512
hmac-md5
hmac-md5-96
hmac-ripemd160
hmac-ripemd160@openssh.com
umac-64@openssh.com
umac-128@openssh.com
hmac-sha1-etm@openssh.com
hmac-sha1-96-etm@openssh.com
hmac-sha2-256-etm@openssh.com
hmac-sha2-512-etm@openssh.com
hmac-md5-etm@openssh.com
hmac-md5-96-etm@openssh.com
hmac-ripemd160-etm@openssh.com
umac-64-etm@openssh.com
umac-128-etm@openssh.com

Server ssh -v -p 53 -D 9999 luca@myIP

iMac:~ Luca$ ssh -v -p 53 -D 9999 luca@myIP

OpenSSH_6.9p1, LibreSSL 2.1.8
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Connecting to myIP [myIP] port 53.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /Users/Luca/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/Luca/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/Luca/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/Luca/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/Luca/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/Luca/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/Luca/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/Luca/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.9
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.7p1 Debian-5+deb8u3
debug1: match: OpenSSH_6.7p1 Debian-5+deb8u3 pat OpenSSH* compat 0x04000000
debug1: Authenticating to myIP:53 as 'luca'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client chacha20-poly1305@openssh.com <implicit> none
debug1: kex: client->server chacha20-poly1305@openssh.com <implicit> none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:DUAAYL1r0QUDtRI89JozTTz+bm5wcg4cOSaFaRdbr/Y
debug1: Host '[myIP]:53' is known and matches the ECDSA host key.
debug1: Found key in /Users/Luca/.ssh/known_hosts:1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /Users/Luca/.ssh/id_rsa
debug1: Trying private key: /Users/Luca/.ssh/id_dsa
debug1: Trying private key: /Users/Luca/.ssh/id_ecdsa
debug1: Trying private key: /Users/Luca/.ssh/id_ed25519
debug1: Next authentication method: password

luca@myIP's password:

debug1: Authentication succeeded (password).
Authenticated to myIP ([myIP]:53).
debug1: Local connections to LOCALHOST:9999 forwarded to remote address socks:0
debug1: Local forwarding listening on ::1 port 9999.
debug1: channel 0: new [port listener]
debug1: Local forwarding listening on 127.0.0.1 port 9999.
debug1: channel 1: new [port listener]
debug1: channel 2: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = fr_FR.UTF-8
Debian GNU/Linux 8.6

Linux <server> #1 SMP Tue Mar 18 14:48:24 CET 2014 x86_64 GNU/Linux

server    : 274305
hostname  : myServer
eth0 IPv4 : myIPv4
eth0 IPv6 : myIPv6
Last login: Thu Dec  8 15:36:09 2016 from XXX.XXX.XXX.XXX

luca@myServer:~$

Error I see sometime

luca@myServer:~$ Bad packet length 3045540078.

padding error: need -1249427218 block 8 mod 6

ssh_dispatch_run_fatal: Connection to 5.39.88.21: message authentication code incorrect

Server ssh -o macs=hmac-sha1 -v -p 53 -D 9999 luca@myServer when crash happens

iMac:~ Luca$ ssh -o macs=hmac-sha1 -v -p 53 -D 9999 luca@myIP
// [...]
luca@myServer:~$ debug1: Connection to port 9999 forwarding to socks port 0 requested.
debug1: channel 3: new [dynamic-tcpip]
debug1: Connection to port 9999 forwarding to socks port 0 requested.
debug1: channel 4: new [dynamic-tcpip]
debug1: Connection to port 9999 forwarding to socks port 0 requested.
debug1: channel 5: new [dynamic-tcpip]
debug1: Connection to port 9999 forwarding to socks port 0 requested.
debug1: channel 6: new [dynamic-tcpip]
debug1: Connection to port 9999 forwarding to socks port 0 requested.
debug1: channel 7: new [dynamic-tcpip]
debug1: Connection to port 9999 forwarding to socks port 0 requested.
debug1: channel 8: new [dynamic-tcpip]
debug1: Connection to port 9999 forwarding to socks port 0 requested.
debug1: channel 9: new [dynamic-tcpip]
debug1: Connection to port 9999 forwarding to socks port 0 requested.
debug1: channel 10: new [dynamic-tcpip]
debug1: Connection to port 9999 forwarding to socks port 0 requested.
debug1: channel 11: new [dynamic-tcpip]
debug1: Connection to port 9999 forwarding to socks port 0 requested.
debug1: channel 12: new [dynamic-tcpip]
debug1: Connection to port 9999 forwarding to socks port 0 requested.
debug1: channel 13: new [dynamic-tcpip]
debug1: Connection to port 9999 forwarding to socks port 0 requested.
debug1: channel 14: new [dynamic-tcpip]
debug1: Connection to port 9999 forwarding to socks port 0 requested.
debug1: channel 15: new [dynamic-tcpip]
debug1: Connection to port 9999 forwarding to socks port 0 requested.
debug1: channel 16: new [dynamic-tcpip]
debug1: Connection to port 9999 forwarding to socks port 0 requested.
debug1: channel 17: new [dynamic-tcpip]
debug1: Connection to port 9999 forwarding to socks port 0 requested.
debug1: channel 18: new [dynamic-tcpip]
debug1: Connection to port 9999 forwarding to socks port 0 requested.
debug1: channel 19: new [dynamic-tcpip]
ssh_dispatch_run_fatal: Connection to myIP : message authentication code incorrect
iMac:~ Luca$

After updating SSH on client-side

iMac:~ Luca$ ssh -V
OpenSSH_7.3p1, OpenSSL 1.0.2j  26 Sep 2016

iMac:~ Luca$ ssh -p 53 -D 9999 luca@myIP
luca@myIP's password: 
luca@ns3274305:~$ ssh_dispatch_run_fatal: Connection to myIP port 53: message authentication code incorrect

iMac:~ Luca$ ssh -o macs=hmac-sha1 -p 53 -D 9999 luca@myIP
luca@myIP's password: 
luca@ns3274305:~$ ssh_dispatch_run_fatal: Connection to myIP port 53: message authentication code incorrect
iMac:~ Luca$

Best Answer

I've updated from Mac OS El Capitan (10.11) to Mac OS Sierra (10.12).

The problem doesn't occur anymore.

I still don't know what the problem really was.

Related Question