Skip to content

Draft: Docs: Troubleshooting `Corrupted MAC on input` on Git/SSH operations

Niklas Janz requested to merge njanz-MAC-incorrect into master

What does this MR do?

Provides troubleshooting steps and workaround-proposals for "Corrupted MAC on input" errors when utilizing Git over SSH.

This appears to be an issue between Win32-OpenSSH and RHELs OpenSSH-daemon patch set (observed in this customer ticket):

While the root cause has yet to be determined, comments in the above issue suggest using hmac instead of umac as a workaround, while Red Hats mitigation guidelines suggest etm:

Disabling ciphers if necessary:

If "kex-strict-c-v00@openssh.com" is not provided by clients or "kex-strict-s-v00@openssh.com" is absent in the server's reply, you can disable the following ciphers and HMACs as a workaround on RHEL-8 and RHEL-9:

  1. chacha20-poly1305@openssh.com
  2. hmac-sha2-512-etm@openssh.com
  3. hmac-sha2-256-etm@openssh.com
  4. hmac-sha1-etm@openssh.com
  5. hmac-md5-etm@openssh.com

Related issues

Author's checklist

If you are a GitLab team member and only adding documentation, do not add any of the following labels:

  • ~"frontend"
  • ~"backend"
  • ~"type::bug"
  • ~"database"

These labels cause the MR to be added to code verification QA issues.

Reviewer's checklist

Documentation-related MRs should be reviewed by a Technical Writer for a non-blocking review, based on Documentation Guidelines and the Style Guide.

If you aren't sure which tech writer to ask, use roulette or ask in the #docs Slack channel.

  • If the content requires it, ensure the information is reviewed by a subject matter expert.
  • Technical writer review items:
    • Ensure docs metadata is present and up-to-date.
    • Ensure the appropriate labels are added to this MR.
    • Ensure a release milestone is set.
    • If relevant to this MR, ensure content topic type principles are in use, including:
      • The headings should be something you'd do a Google search for. Instead of Default behavior, say something like Default behavior when you close an issue.
      • The headings (other than the page title) should be active. Instead of Configuring GDK, say something like Configure GDK.
      • Any task steps should be written as a numbered list.
      • If the content still needs to be edited for topic types, you can create a follow-up issue with the docs-technical-debt label.
  • Review by assigned maintainer, who can always request/require the reviews above. Maintainer's review can occur before or after a technical writer review.

Merge request reports

Loading