Kerberos + Openssh 6.7 issue in MacOS sierra
Jakub Jelen
jjelen at redhat.com
Mon Nov 7 19:26:20 AEDT 2016
On 11/05/2016 06:58 PM, Angel Campoverde wrote:
> Hi,
>
> I hope this is the right mailing list. I upgraded to Sierra and It came
> with the new OpenSSH 6.7. When I try to get into a remote machine after
> making the kerberos ticket I get:
>
> /Users/angelcampoverde/.ssh/config: line 11: Bad configuration option:
> gssapitrustdns
> /Users/angelcampoverde/.ssh/config: terminating, 1 bad configuration options
>
> Which suggests that the line:
>
> GSSAPIAuthentication yes
>
> Is not supposed to be in the ~/.ssh/config file anymore. Without this line
> I cannot use kerberos to authenticate, I'd have to use the password. Is
> Kerberos not supported anymore beyond version 6.6? Is there a patch or a
> new line that should be there in that file instead of that one?
>
> Other people seem to have the same problem here:
>
> http://stackoverflow.com/questions/39634166/after-update-mac-os-sierra-can-not-use-ssh-login-remote-system-how-can-i-fix-th
>
> and here:
>
> http://apple.stackexchange.com/questions/256914/macos-sierra-broke-ssh-kerberos-authentication
>
> No answer was given, so I assume this is not a trivial issue.
The GSSAPITrustDNS was never part of portable OpenSSH [1]. This option
originally comes from third party [2] extending kerberos support in
OpenSSH, which is no longer maintained, but can be simply rebased on the
current sources.
The problem in this case is Apple dropping this patch used by many
people, so the Apple is the place where you should ask (or your OpenSSH
packager of your favorite repository).
[1]
https://github.com/openssh/openssh-portable/search?utf8=%E2%9C%93&q=trustdns
[2] http://www.sxw.org.uk/computing/patches/openssh.html
Regards,
--
Jakub Jelen
Software Engineer
Security Technologies
Red Hat
More information about the openssh-unix-dev
mailing list