Fixing the bad Solaris ssh patch
It turns out that there are actually three ssh problems introduced by
the bad Solaris ssh patch. Since it's been well
over a month with no sign or prospect of a fix from Sun, I gave in and
applied workarounds. Fortunately, it turns out that all of problems can
be made to go away with changes to /etc/ssh/ssh_config
.
Ssh problem one is:
$ ssh host
dlopen(/usr/lib/gss/gl/mech_krb5.so): ld.so.1: ssh: fatal: /usr/lib/gss/gl/mech_krb5.so: open failed: No such file or directory
The minimal workaround for this in ssh_config
is:
Host * GSSAPIKeyExchange no
Ssh problem two is closely related; it is:
$ ssh host
unable to initialize mechanism library [/usr/lib/gss/gl/mech_krb5.so]
This only appears if you have the SUNWkrbu package installed; problem
one appears only if you don't. The ssh_config
workaround this
time is:
Host * GSSAPIKeyExchange no GSSAPIAuthentication no
Using both options is harmless for the first problem, so you might as well standardize on using both. As far as I know, these don't have any observable side effects if you're not using Kerberos (and if you are, you probably don't have either of these problems).
Ssh problem three is:
$ ssh host
xmalloc: zero size
This turns out to be caused by a bug in handling the 'ask' choice for
the StrictHostKeyChecking option (which is the default setting). This
means there are two solutions; you can either arrange to have known host
keys for all the machines you'll want to talk to, or you can put the
minimal workaround in ssh_config
:
Host * StrictHostKeyChecking no
However, this workaround has a potential drawback: with this option set, new hosts have their host keys automatically added to your $HOME/known_hosts host key list, instead of you being prompted about it. (I'm not convinced that this is a big issue; in practice I always say 'yes' to this question anyways, and I'm already using this setting in some personal configurations.)
So the omnibus set of workarounds in /etc/ssh/ssh_config
is:
Host * GSSAPIKeyExchange no GSSAPIAuthentication no StrictHostKeyChecking no
This also works in $HOME/.ssh/config, if you're on a system with
this problem where you can't change the system ssh_config
for some
reason. Remember to add a cheery comment about why these options
are set, so that in later months (or years) you can remember why
they're there.
Comments on this page:
|
|