Fixing the bad Solaris ssh patch

June 10, 2006

It turns out that there are actually three ssh problems introduced by the bad Solaris ssh patch. Since it's been well over a month with no sign or prospect of a fix from Sun, I gave in and applied workarounds. Fortunately, it turns out that all of problems can be made to go away with changes to /etc/ssh/ssh_config.

Ssh problem one is:

$ ssh host
dlopen(/usr/lib/gss/gl/mech_krb5.so): ld.so.1: ssh: fatal: /usr/lib/gss/gl/mech_krb5.so: open failed: No such file or directory

The minimal workaround for this in ssh_config is:

Host *
  GSSAPIKeyExchange no

Ssh problem two is closely related; it is:

$ ssh host
unable to initialize mechanism library [/usr/lib/gss/gl/mech_krb5.so]

This only appears if you have the SUNWkrbu package installed; problem one appears only if you don't. The ssh_config workaround this time is:

Host *
  GSSAPIKeyExchange no
  GSSAPIAuthentication no

Using both options is harmless for the first problem, so you might as well standardize on using both. As far as I know, these don't have any observable side effects if you're not using Kerberos (and if you are, you probably don't have either of these problems).

Ssh problem three is:

$ ssh host
xmalloc: zero size

This turns out to be caused by a bug in handling the 'ask' choice for the StrictHostKeyChecking option (which is the default setting). This means there are two solutions; you can either arrange to have known host keys for all the machines you'll want to talk to, or you can put the minimal workaround in ssh_config:

Host *
  StrictHostKeyChecking no

However, this workaround has a potential drawback: with this option set, new hosts have their host keys automatically added to your $HOME/known_hosts host key list, instead of you being prompted about it. (I'm not convinced that this is a big issue; in practice I always say 'yes' to this question anyways, and I'm already using this setting in some personal configurations.)

So the omnibus set of workarounds in /etc/ssh/ssh_config is:

Host *
  GSSAPIKeyExchange no
  GSSAPIAuthentication no
  StrictHostKeyChecking no

This also works in $HOME/.ssh/config, if you're on a system with this problem where you can't change the system ssh_config for some reason. Remember to add a cheery comment about why these options are set, so that in later months (or years) you can remember why they're there.


Comments on this page:

From 192.31.106.34 at 2006-11-13 15:25:43:

Chris- this problem fixed outbound SSH for me, however I still can not SSH to this machine. Do you have any ideas for this? Thanks, Josh..

By cks at 2006-11-13 17:30:47:

If your sshd is starting and not spewing fatal errors about not finding shared libraries (unlike eg here), I'm afraid that I've got no idea.

I'm also not responsible for any Solaris 9 machines any more (just Solaris 8 these days), so I am completely out of touch with the state of the whole ssh issue. The most recent stuff I know is in MoreSolarisSshIII, but that's from late August.

Written on 10 June 2006.
« Seeing Quicktime movie trailers on Fedora Core 5
Weekly spam summary on June 10th, 2006 »

Page tools: View Source, View Normal, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sat Jun 10 01:39:31 2006
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.