[oi-dev] OpenSSH 7.2 GSSAPIAuthentication=no broken?

Gordon Ross gordon.w.ross at gmail.com
Sat Jan 13 17:08:26 UTC 2018 

I have a perplexing bug here, I think.  (Or maybe a mis-configuration?)
I set GSSAPIAuthentication=no in .ssh/config but I still see my
ssh client trying to do GSAPI stuff, which times out in DNS.
I want this to work without requiring reverse DNS.
Actually, "getent hosts IPADDR" works, because the IP is
in etc/inet/hosts but as you see below,  gssapi calls the DNS
resolver library directly (grumble) instead of getnameinfo
or whatever that would use nsswitch...

Anyone know why with GSSAPIAuthentication=no
I'm still seeing attempts to  use gssapi?

Here's the stack while the ssh client is stuck
waiting for the resolver to time out...



24572: ssh -vvv oi-test
 fea53385 pollsys  (8043214, 1, 80431a8, 0)
 fe9e50b6 poll     (8043214, 1, 1388, 0) + 66
 fef4e0e1 send_dg  (8143b50, 80439c0, 25, 81a4bbc, 10000, 8043948) + 391
 fef4ea68 res_nsend (8143b50, 80439c0, 25, 81a4bbc, 10000, 400) + 595
 fef4cbb2 res_nquery (8143b50, 8043e1f, 1, 1, 81a4bbc, 10000) + 14d
 fef4ce90 res_nquerydomain (8143b50, 8140bb5, 8143bb0, 1, 1, 81a4bbc) + 131
 fef4d088 res_nsearch (8143b50, 8140bb5, 1, 1, 81a4bbc, 10000) + 1ed
 fef22c05 ho_byname2 (8160890, 8140bb5, 2, fef4479a, 0, ffffffff) + 216
 fef25e79 ho_byname2 (81608bc, 8140bb5, 2, 401, 0, fefc35c2) + 75
 fef29132 gethostbyname2_p (8140bb5, 2, 815f7e0, fef29188, feac2804, 0) + 123
 fef2936d res_getipnodebyname (8140bb5, 2, 0, 8045088) + 20d
 fe8fd75d krb5_sname_to_principal (81416a0, 8140bb5, 8140bb0, 3,
8045608, 40) + 94
 fe8960da krb5_gss_import_name (813f59c, 812b8f8, 812b908, 80456b8) + 12e
 fe89780c k5glue_import_name (0, 813f59c, 812b8f8, 812b908, 80456b8,
fec998d6) + 24
 fec8a1d2 __gss_import_internal_name (813f59c, 812b8e8, 812fae8,
80456b8, 0, 812fae8) + 52
 fec85c3f gss_init_sec_context (813f59c, 0, 813f5a0, 812fae8, 812b8e8, 22) + be
 080ac1b3 ssh_gssapi_check_mechanism (0, 81406a8, 812b838, 0) + 1ef
 080ac349 ssh_gssapi_client_mechanisms (812b838, 8107fdf, 82, 0,
feac2804, 0) + 105
 08078779 ssh_kex2 (812b818, 812b040, 16, fea53d35, 812b818, 812b040) + 2c5
 08073869 ssh_login (8128f90, 812b648, 812b040, 16, 812c428) + a5
 08065bf0 main     (804797c, feacf2c8, 80479b0, 806331b, 3, 80479bc) + 19c0
 0806331b _start   (3, 8047ae8, 8047aec, 8047af1, 0, 8047af9) + 83
24479: ssh oi-test
 fea53385 pollsys  (80456e0, 2, 0, 0)
 fe9ea249 pselect  (9, 812b818, 812b7f8, feacbfe0, 0, 0) + 232
 fe9ea54b select   (9, 812b818, 812b7f8, 0, 0, 0) + 8e
 0807138f client_loop (1, 7e, 0, 8140e20, 0, 0) + 51f
 08065f92 main     (804797c, feacf2c8, 80479b8, 806331b, 2, 80479c4) + 1d62
 0806331b _start   (2, 8047aec, 8047af0, 0, 8047af8, 8047b0f) + 83

More information about the oi-dev mailing list