[oi-dev] OpenSSH 7.2 GSSAPIAuthentication=no broken?
Alexander Pyhalov
alp at rsu.ru
Mon Jan 15 07:10:26 UTC 2018
On 01/13/18 08:08 PM, Gordon Ross wrote:
> I have a perplexing bug here, I think. (Or maybe a mis-configuration?)
> I set GSSAPIAuthentication=no in .ssh/config but I still see my
> ssh client trying to do GSAPI stuff, which times out in DNS.
> I want this to work without requiring reverse DNS.
> Actually, "getent hosts IPADDR" works, because the IP is
> in etc/inet/hosts but as you see below, gssapi calls the DNS
> resolver library directly (grumble) instead of getnameinfo
> or whatever that would use nsswitch...
>
> Anyone know why with GSSAPIAuthentication=no
> I'm still seeing attempts to use gssapi?
>
> Here's the stack while the ssh client is stuck
> waiting for the resolver to time out...
Hello.
It could be GSSAPIKeyExchange, which was on by default in Solaris and in
earlier OI OpenSSH versions. At least it's disabled by default to avoid
DNS timeouts since last January.
--
Best regards,
Alexander Pyhalov,
system administrator of Southern Federal University IT department
More information about the oi-dev
mailing list