Kerberos + Openssh 6.7 issue in MacOS sierra

[Jakub Jelen]

On 11/05/2016 06:58 PM, Angel Campoverde wrote:
> Hi,
>
> I hope this is the right mailing list. I upgraded to Sierra and It came
> with the new OpenSSH 6.7. When I try to get into a remote machine after
> making the kerberos ticket I get:
>
> /Users/angelcampoverde/.ssh/config: line 11: Bad configuration option:
> gssapitrustdns
> /Users/angelcampoverde/.ssh/config: terminating, 1 bad configuration options
>
> Which suggests that the line:
>
>    GSSAPIAuthentication      yes
>
> Is not supposed to be in the ~/.ssh/config file anymore. Without this line
> I cannot use kerberos to authenticate, I'd have to use the password. Is
> Kerberos not supported anymore beyond version 6.6? Is there a patch or a
> new line that should be there in that file instead of that one?
>
> Other people seem to have the same problem here:
>
> http://stackoverflow.com/questions/39634166/after-update-mac-os-sierra-can-not-use-ssh-login-remote-system-how-can-i-fix-th
>
> and here:
>
> http://apple.stackexchange.com/questions/256914/macos-sierra-broke-ssh-kerberos-authentication
>
> No answer was given, so I assume this is not a trivial issue.
The GSSAPITrustDNS was never part of portable OpenSSH [1]. This option 
originally comes from third party [2] extending kerberos support in 
OpenSSH, which is no longer maintained, but can be simply rebased on the 
current sources.
The problem in this case is Apple dropping this patch used by many 
people, so the Apple is the place where you should ask (or your OpenSSH 
packager of your favorite repository).

[1] 
https://github.com/openssh/openssh-portable/search?utf8=%E2%9C%93&q=trustdns
[2] http://www.sxw.org.uk/computing/patches/openssh.html

Regards,

-- 
Jakub Jelen
Software Engineer
Security Technologies
Red Hat