"Corrupted MAC" errors on Windows
The official SSH component of Windows has a bug in the implementation of the umac-128-etm@openssh.com
MAC algorithm and prefers this algorithm over others that are not bugged.
When connecting to the login nodes, the bug trips the corrupted MAC detection and the error Corrupted MAC on input
is reported.
To avoid the issue, add -m hmac-sha2-256-etm@openssh.com
to your ssh command line, use a better SSH client, or change your configuration as shown below.
Reduce the priority of the buggy MAC algorithm
Another way is to override the MAC used or change the priority list to de-prioritize (or remove) the buggy MAC.
The easiest way to do this in a persistent way is to change your .ssh/config
file, which is at %USERPROFILE%\.ssh\config
on Windows (this usually works out to be something like C:\Users\YOUR_USERNAME\.ssh\config
).
Go to the Host
entries for the login nodes and add the option MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com
to them, which will change the priority order to use non-buggy ones first but still retain the problematic one for if you upgrade OpenSSH later.
You can also add this to a Host *
block to enable it for all hosts. Since the buggy implementation is not disabled, just de-prioritized, it should not cause connection problems with any other servers.
See the Configuring SSH page for more information on the config file, particularly if you have not made one yet.
It is also possible to override the default MAC when running SSH on the command line with the -m MAC1[,...,MACN]
option.
Examples would be -m hmac-sha2-256-etm@openssh.com
to pick just one or -m hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com
to specify a list of ones use in order of priority.
Complete example:
ssh -m hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com -i C:\Users\local_username\.ssh\id_ed25519 username@glogin.hpc.gwdg.de