MacOS Sierra broke SSH Kerberos authentication

kerberosmacossshterminal

I have used Kerberos GSSAPI authentication together with SSH to connect from my Mac to work servers. However, ever since the macOS Sierra upgrade, I'm forced to enter passwords again.

My ~/.ssh/config looks like this:

Host MYSERVER
    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials yes

I originally had there GSSAPITrustDns yes as well, but after the Sierra upgrade, SSH refused to start up saying that it could not parse the config. Removing the line fixed that.

Is there any way to get this working again?

Best Answer

I asked this in the SSH mailing list openssh-unix-dev@mindrot.org and I got this answer:

The GSSAPITrustDNS was never part of portable OpenSSH. This option originally comes from third party extending kerberos support in OpenSSH, which is no longer maintained, but can be simply rebased on the current sources.

The problem in this case is Apple dropping this patch used by many people, so the Apple is the place where you should ask (or your OpenSSH packager of your favorite repository).

http://marc.info/?l=openssh-unix-dev&m=147850754710753&w=2

It seems that we have to ask apple to put this feature back.

Related Question