Wandering Thoughts archives

2006-06-10

Fixing the bad Solaris ssh patch

It turns out that there are actually three ssh problems introduced by the bad Solaris ssh patch. Since it's been well over a month with no sign or prospect of a fix from Sun, I gave in and applied workarounds. Fortunately, it turns out that all of problems can be made to go away with changes to /etc/ssh/ssh_config.

Ssh problem one is:

$ ssh host
dlopen(/usr/lib/gss/gl/mech_krb5.so): ld.so.1: ssh: fatal: /usr/lib/gss/gl/mech_krb5.so: open failed: No such file or directory

The minimal workaround for this in ssh_config is:

Host *
  GSSAPIKeyExchange no

Ssh problem two is closely related; it is:

$ ssh host
unable to initialize mechanism library [/usr/lib/gss/gl/mech_krb5.so]

This only appears if you have the SUNWkrbu package installed; problem one appears only if you don't. The ssh_config workaround this time is:

Host *
  GSSAPIKeyExchange no
  GSSAPIAuthentication no

Using both options is harmless for the first problem, so you might as well standardize on using both. As far as I know, these don't have any observable side effects if you're not using Kerberos (and if you are, you probably don't have either of these problems).

Ssh problem three is:

$ ssh host
xmalloc: zero size

This turns out to be caused by a bug in handling the 'ask' choice for the StrictHostKeyChecking option (which is the default setting). This means there are two solutions; you can either arrange to have known host keys for all the machines you'll want to talk to, or you can put the minimal workaround in ssh_config:

Host *
  StrictHostKeyChecking no

However, this workaround has a potential drawback: with this option set, new hosts have their host keys automatically added to your $HOME/known_hosts host key list, instead of you being prompted about it. (I'm not convinced that this is a big issue; in practice I always say 'yes' to this question anyways, and I'm already using this setting in some personal configurations.)

So the omnibus set of workarounds in /etc/ssh/ssh_config is:

Host *
  GSSAPIKeyExchange no
  GSSAPIAuthentication no
  StrictHostKeyChecking no

This also works in $HOME/.ssh/config, if you're on a system with this problem where you can't change the system ssh_config for some reason. Remember to add a cheery comment about why these options are set, so that in later months (or years) you can remember why they're there.

solaris/FixingSolarisSsh written at 01:39:31; Add Comment


Page tools: See As Normal.
Search:
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.