Bug 944

Summary: ssh_config missing default configuration values for GSSAPI
Product: Portable OpenSSH Reporter: Adam Bernstein <adam.bernstein>
Component: sshAssignee: OpenSSH Bugzilla mailing list <openssh-bugs>
Status: CLOSED FIXED    
Severity: enhancement    
Priority: P2    
Version: 3.9p1   
Hardware: All   
OS: Linux   

Description Adam Bernstein 2004-10-26 05:04:50 AEST 
ssh_config does not contain default values for the configurable GSSAPI options,
as are found in sshd_config.  These entries are self-documenting comments that
assist the installer properly configure the software.  In the absence of any
documentation for how to configure GSSAPI in SSH, these comment tags in
ssh_config and sshd_config are essential for success.

One critical addition to ssh_config would be the following:

#GSSAPIAuthentication no
#GSSAPIDelegateCredentials no

From a deeper inspection of readconf.c, it appears the ssh_config file has not
been maintained, and these informative default values do not appear for many
other configurable parameters.  Although my primary interest is GSSAPI, anyone
spending time to fix this issue should add all missing configurable tags to
ssh_config.
Comment 1 Darren Tucker 2004-10-26 12:43:54 AEST 
> In the absence of any documentation for how to configure GSSAPI

Huh?  At the top of the ssh_config file it refers to the ssh_config(5) man page,
which says, in part:

  GSSAPIAuthentication
      Specifies whether user authentication based on GSSAPI is allowed.
      The default is ``no''.  Note that this option applies to protocol
      version 2 only.

  GSSAPIDelegateCredentials
      Forward (delegate) credentials to the server.  The default is
      ``no''.  Note that this option applies to protocol version 2 only.
Comment 2 Darren Tucker 2005-01-28 20:47:44 AEDT 
Added some verbiage to ssh_config to make it clear that the listed entries are
only some of the commonly used defaults:

# Site-wide defaults for some commonly used options.  For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.
Comment 3 Martin Mokrejs 2006-07-11 04:18:16 AEST 
Please reopen and update the ssh_config with these two lines. Although I would aggree one should read manpages it is not easy for kerberos beginners to figure out some variable is missing in their config and that this is causing their client to fail.

Please refwer to my original bugreport at Gentoo:
http://bugs.gentoo.org/show_bug.cgi?id=132243

<quote>
While inspecting bug # I was curious why sshd/ssh doesn't try my kerberos tickets. After some poking around and enabling the variables in
/etc/ssh/sshd_config it turned out the *client* lacked the variables in
/etc/ssh/ssh_config, which would instruct it to try gssapi. Please add to /etc/ssh/ssh_config these two lines:

# Instruct ssh(1) client to attempt GSSAPI authentication, see ssh_config(5)
# GSSAPIAuthentication yes
# GSSAPIDelegateCredentials yes
</quote>
Comment 4 Darren Tucker 2006-07-11 09:22:34 AEST 
(In reply to comment #3)
> Please reopen and update the ssh_config with these two lines. [...]
> # GSSAPIAuthentication yes
> # GSSAPIDelegateCredentials yes

Those are config options are already present:

$ cvs annotate ssh_config |grep -i gss
Annotations for ssh_config
***************
1.22         (dtucker  29-May-06): #   GSSAPIAuthentication no
1.22         (dtucker  29-May-06): #   GSSAPIDelegateCredentials no
Comment 5 Darren Tucker 2006-10-07 11:37:36 AEST 
Change all RESOLVED bug to CLOSED with the exception of the ones fixed post-4.4.