Skip to content

SshConnectionException: MAC Error when using only hmac-sha2-512 with .NET 8 and SSH.NET 2024.1.0 #1660

New issue
New issue
Open
#1689
Open
SshConnectionException: MAC Error when using only hmac-sha2-512 with .NET 8 and SSH.NET 2024.1.0#1660
#1689
@giladsepio

Description

@giladsepio
giladsepio
opened on Jun 25, 2025

When connecting to a Cisco switch that only allows the hmac-sha2-512 MAC algorithm, the SSH.NET client throws a SshConnectionException with the message MAC Error.

This happens only when hmac-sha2-512 is the sole allowed MAC on the server. If we include hmac-sha2-256 in the server config, the connection succeeds.

Environment:

SSH.NET version: 2024.1.0

.NET version: .NET 8

Platform: Linux and Windows (tested on both)

SSH server: Cisco switch with the following settings:

ip ssh server algorithm mac hmac-sha2-512
Server-Side SSH Debug Output (Cisco):

Jun 25 10:31:45.083: kex: client->server enc:aes128-ctr mac:hmac-sha2-512
Jun 25 10:31:45.083: kex: server->client enc:aes128-ctr mac:hmac-sha2-512

Jun 25 10:31:47.932: SSH2 1: SSH2_MSG_NEWKEYS received
Jun 25 10:31:48.760: SSH1: Session disconnected - error 0x00

Client Stack Trace:

Renci.SshNet.Common.SshConnectionException: MAC Error
   at Renci.SshNet.Session.ReceiveMessage(Socket socket)
   at Renci.SshNet.Session.MessageListener()
   at Renci.SshNet.Session.Connect()
   at Renci.SshNet.BaseClient.CreateAndConnectSession()
   at Renci.SshNet.BaseClient.Connect()

What Works:
When we change the server to:

ip ssh server algorithm mac hmac-sha2-512 hmac-sha2-256
Then the client connects successfully, negotiating hmac-sha2-256.

Expected Behavior:
SSH.NET should be able to successfully connect using hmac-sha2-512 as the MAC algorithm.

Notes:

This looks like a bug in the hmac-sha2-512 MAC handling implementation in SSH.NET.

Possibly related to incorrect handling of the MAC size (512 bits = 64 bytes) or key derivation.

Repro Steps (Pseudocode):

KeyboardInteractiveAuthenticationMethod kauth = new KeyboardInteractiveAuthenticationMethod(_user);
PasswordAuthenticationMethod pauth = new PasswordAuthenticationMethod(_user, _password);

//kauth.AuthenticationPrompt += new EventHandler<Renci.SshNet.Common.AuthenticationPromptEventArgs>(HandleKeyEvent);
kauth.AuthenticationPrompt += (a, b) => HandleKeyEvent(a, b, _password);
// Setup Credentials and Server Information
ConnectionInfo ConnNfo = new ConnectionInfo(_ipAddress, 22, _user,
	[kauth, pauth]
 );
ConnNfo.Timeout = TimeSpan.FromSeconds(30);
_sshClient = new SshClient(ConnNfo);
_sshClient.TrustKeyReceived();

_sshClient.Connect(); // throws SshConnectionException: MAC Error

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions