[oi-dev] OpenSSH 7.2 GSSAPIAuthentication=no broken?

Alexander Pyhalov alp at rsu.ru
Mon Jan 15 07:10:26 UTC 2018

On 01/13/18 08:08 PM, Gordon Ross wrote:
> I have a perplexing bug here, I think.  (Or maybe a mis-configuration?)
> I set GSSAPIAuthentication=no in .ssh/config but I still see my
> ssh client trying to do GSAPI stuff, which times out in DNS.
> I want this to work without requiring reverse DNS.
> Actually, "getent hosts IPADDR" works, because the IP is
> in etc/inet/hosts but as you see below,  gssapi calls the DNS
> resolver library directly (grumble) instead of getnameinfo
> or whatever that would use nsswitch...
> Anyone know why with GSSAPIAuthentication=no
> I'm still seeing attempts to  use gssapi?
> Here's the stack while the ssh client is stuck
> waiting for the resolver to time out...

It could be GSSAPIKeyExchange, which was on by default in Solaris and in 
earlier OI OpenSSH versions. At least it's disabled by default to avoid 
DNS timeouts since last January.
Best regards,
Alexander Pyhalov,
system administrator of Southern Federal University IT department

More information about the oi-dev mailing list