Hi, I hope this is the right mailing list. I upgraded to Sierra and It came with the new OpenSSH 6.7. When I try to get into a remote machine after making the kerberos ticket I get: /Users/angelcampoverde/.ssh/config: line 11: Bad configuration option: gssapitrustdns /Users/angelcampoverde/.ssh/config: terminating, 1 bad configuration options Which suggests that the line: GSSAPIAuthentication yes Is not supposed to be in the ~/.ssh/config file anymore. Without this line I cannot use kerberos to authenticate, I'd have to use the password. Is Kerberos not supported anymore beyond version 6.6? Is there a patch or a new line that should be there in that file instead of that one? Other people seem to have the same problem here: http://stackoverflow.com/questions/39634166/after-update-mac-os-sierra-can-not-use-ssh-login-remote-system-how-can-i-fix-th and here: http://apple.stackexchange.com/questions/256914/macos-sierra-broke-ssh-kerberos-authentication No answer was given, so I assume this is not a trivial issue. Cheers.
On 11/05/2016 06:58 PM, Angel Campoverde wrote:> Hi, > > I hope this is the right mailing list. I upgraded to Sierra and It came > with the new OpenSSH 6.7. When I try to get into a remote machine after > making the kerberos ticket I get: > > /Users/angelcampoverde/.ssh/config: line 11: Bad configuration option: > gssapitrustdns > /Users/angelcampoverde/.ssh/config: terminating, 1 bad configuration options > > Which suggests that the line: > > GSSAPIAuthentication yes > > Is not supposed to be in the ~/.ssh/config file anymore. Without this line > I cannot use kerberos to authenticate, I'd have to use the password. Is > Kerberos not supported anymore beyond version 6.6? Is there a patch or a > new line that should be there in that file instead of that one? > > Other people seem to have the same problem here: > > http://stackoverflow.com/questions/39634166/after-update-mac-os-sierra-can-not-use-ssh-login-remote-system-how-can-i-fix-th > > and here: > > http://apple.stackexchange.com/questions/256914/macos-sierra-broke-ssh-kerberos-authentication > > No answer was given, so I assume this is not a trivial issue.The GSSAPITrustDNS was never part of portable OpenSSH [1]. This option originally comes from third party [2] extending kerberos support in OpenSSH, which is no longer maintained, but can be simply rebased on the current sources. The problem in this case is Apple dropping this patch used by many people, so the Apple is the place where you should ask (or your OpenSSH packager of your favorite repository). [1] https://github.com/openssh/openssh-portable/search?utf8=%E2%9C%93&q=trustdns [2] http://www.sxw.org.uk/computing/patches/openssh.html Regards, -- Jakub Jelen Software Engineer Security Technologies Red Hat
Hi, Ok, I asked the apple people. In case you want to follow it, the link is: https://discussions.apple.com/message/30925444#30925444 Cheers. On Sat, Nov 5, 2016 at 6:58 PM, Angel Campoverde <campoverdeangelf at gmail.com> wrote:> Hi, > > I hope this is the right mailing list. I upgraded to Sierra and It came > with the new OpenSSH 6.7. When I try to get into a remote machine after > making the kerberos ticket I get: > > /Users/angelcampoverde/.ssh/config: line 11: Bad configuration option: > gssapitrustdns > /Users/angelcampoverde/.ssh/config: terminating, 1 bad configuration > options > > Which suggests that the line: > > GSSAPIAuthentication yes > > Is not supposed to be in the ~/.ssh/config file anymore. Without this line > I cannot use kerberos to authenticate, I'd have to use the password. Is > Kerberos not supported anymore beyond version 6.6? Is there a patch or a > new line that should be there in that file instead of that one? > > Other people seem to have the same problem here: > > http://stackoverflow.com/questions/39634166/after- > update-mac-os-sierra-can-not-use-ssh-login-remote-system-how-can-i-fix-th > > and here: > > http://apple.stackexchange.com/questions/256914/macos- > sierra-broke-ssh-kerberos-authentication > > No answer was given, so I assume this is not a trivial issue. > > Cheers. > >