I ran into trouble connecting to some old network gear this week. It seems that the hmac-sha1 MAC was removed from the default client connection settings. It is still supported so can be specified manually in the client config file, such as this set that I use for older Extreme switches:
Host switch-1.domain.tld KexAlgorithms diffie-hellman-group1-sha1 HostKeyAlgorithms ssh-dss Ciphers aes256-cbc MACs hmac-sha1
The error I was getting:
Unable to negotiate with 192.168.1.1 port 22: no matching MAC found. Their offer: hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96
You can see the difference in old and new ssh -vv outputs:
A Windows Server 2022 example:
OpenSSH_for_Windows_8.1p1, LibreSSL 3.0.2<snip>debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
Freshly updated (2024-10-15) Windows 11 example:
OpenSSH_for_Windows_9.5p1, LibreSSL 3.8.2<snip>debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512
The changes can be found in the myproposal.h file. Here is a before and after since the diffs on GitHub seemed confusing to me.
Before:
#define KEX_SERVER_MAC \ "umac-64-etm@openssh.com," \ "umac-128-etm@openssh.com," \ "hmac-sha2-256-etm@openssh.com," \ "hmac-sha2-512-etm@openssh.com," \ "hmac-sha1-etm@openssh.com," \ "umac-64@openssh.com," \ "umac-128@openssh.com," \ "hmac-sha2-256," \ "hmac-sha2-512," \ "hmac-sha1"
After:
#ifdef WINDOWS#define KEX_SERVER_MAC \ "umac-64-etm@openssh.com," \ "umac-128-etm@openssh.com," \ "hmac-sha2-256-etm@openssh.com," \ "hmac-sha2-512-etm@openssh.com," \ "umac-64@openssh.com," \ "umac-128@openssh.com," \ "hmac-sha2-256," \ "hmac-sha2-512,"#else#define KEX_SERVER_MAC \ "umac-64-etm@openssh.com," \ "umac-128-etm@openssh.com," \ "hmac-sha2-256-etm@openssh.com," \ "hmac-sha2-512-etm@openssh.com," \ "hmac-sha1-etm@openssh.com," \ "umac-64@openssh.com," \ "umac-128@openssh.com," \ "hmac-sha2-256," \ "hmac-sha2-512," \ "hmac-sha1"#endif
So this only affects the Windows client.