Suche
Close this search box.

FGT execute ssh unable to negoitiate … no matching MAC found

Problem

Unable to connect to a device through ssh from FortiGate

FGT1 # execute ssh admin@192.168.1.100
Unable to negotiate with 192.168.1.100: no matching MAC found. Their offer: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-md5-96

Solution (allow INSECURE ciphers)

config system global
    set strong-crypto disable
    set ssh-mac-algo hmac-md5 hmac-md5-etm@openssh.com hmac-md5-96 hmac-md5-96-etm@openssh.com hmac-sha1 hmac-sha1-etm@openssh.com hmac-sha2-256 hmac-sha2-256-etm@openssh.com hmac-sha2-512 hmac-sha2-512-etm@openssh.com hmac-ripemd160 hmac-ripemd160@openssh.com hmac-ripemd160-etm@openssh.com umac-64@openssh.com umac-128@openssh.com umac-64-etm@openssh.com umac-128-etm@openssh.com
   set ssh-kex-algo diffie-hellman-group14-sha1 diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256 curve25519-sha256@libssh.org ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521
end

After you’ve finished your work you should enable strong crypto and change settings back to default

config system global
    set strong-crypto enable
    unset ssh-mac-algo
    unset ssh-kex-algo
end

Further details

Your devices connected through Capwap e.g.: FortiAP or FortiSwitch might loose the connection to your FortiGate if you change the strong-crypto setting.

I would recommend to change these settings only for a short period of time, or to use another possibility to connect to the device (e.g.: SSLVPN / VIP)

Sometime you may try to access another device through ssh from the FortiGate and it fails because it uses insecure ciphers

Furhter details are very well documented in this KB Article: Technical Tip: ‘Unable to negotiate with x.x.x.x: … – Fortinet Community

I’ve tested these changes/settings with FOS 7.2.5, FOS 7.0.12