== Fixing the bad Solaris ssh patch It turns out that there are actually *three* ssh problems introduced by the [[bad Solaris ssh patch BadSolarisPatches]]. Since it's been well over a month with no sign or prospect of a fix from Sun, I gave in and applied workarounds. Fortunately, it turns out that all of problems can be made to go away with changes to ((/etc/ssh/ssh_config)). Ssh problem one is: > _$ ssh host \\ > dlopen(/usr/lib/gss/gl/[[mech_krb5.so|]]): ld.so.1: ssh: fatal: > /usr/lib/gss/gl/[[mech_krb5.so|]]: open failed: No such file or > directory_ The minimal workaround for this in ((ssh_config)) is: > Host * > GSSAPIKeyExchange no Ssh problem two is closely related; it is: > _$ ssh host \\ > unable to initialize mechanism library [/usr/lib/gss/gl/[[mech_krb5|]].so]_ This only appears if you have the SUNWkrbu package installed; problem one appears only if you *don't*. The ((ssh_config)) workaround this time is: > Host * > GSSAPIKeyExchange no > GSSAPIAuthentication no Using both options is harmless for the first problem, so you might as well standardize on using both. As far as I know, these don't have any observable side effects if you're not using Kerberos (and if you are, you probably don't have either of these problems). Ssh problem three is: > _$ ssh host \\ > xmalloc: zero size_ This turns out to be caused by a bug in handling the 'ask' choice for the StrictHostKeyChecking option (which is the default setting). This means there are two solutions; you can either arrange to have known host keys for all the machines you'll want to talk to, or you can put the minimal workaround in ((ssh_config)): > Host * > StrictHostKeyChecking no However, this workaround has a potential drawback: with this option set, new hosts have their host keys automatically added to your $HOME/[[known_hosts|]] host key list, instead of you being prompted about it. (I'm not convinced that this is a big issue; in practice I always say 'yes' to this question anyways, and I'm already using this setting in some personal configurations.) So the omnibus set of workarounds in ((/etc/ssh/ssh_config)) is: > Host * > GSSAPIKeyExchange no > GSSAPIAuthentication no > StrictHostKeyChecking no This also works in $HOME/.ssh/config, if you're on a system with this problem where you can't change the system ((ssh_config)) for some reason. Remember to add a cheery comment about why these options are set, so that in later months (or years) you can remember why they're there.