After update Mac OS Sierra, Can not use ssh login remote system,how can I fix this?

Question

when I use user@ip to login remote system, it report like this:

debug1: /etc/ssh/ssh_config line 17: Applying options for *
/etc/ssh/ssh_config: lin         


        

Answer 1

One way to solve this question is copy a ssh binary from an older Mac and place this binary in path before /usr/bin/ssh, ex: (copy from el capitan box) /usr/bin/ssh => ~/bin/ssh, then add $HOME/bin to your PATH before anything else.

The reason is GSSAPITrustDNS and GSSAPIKeyExchange patches are no longer applied by apple, Starting with Sierra when they upgraded OpenSSH to 7.2p2, So one options is to downgrade to the old OS version, if you have to use kerberos＋ ssh.

Answer 2

1. My config /etc/ssh/ssh_config was ok and was never changed, I found in ~/.ssh/config the rows I needed to change and it solve that issue.

2. if you are getting:

Permissions 0644 for ‘~/.ssh/id_rsa[your file]’ are too open

run: chmod 600 ~/.ssh/id_rsa[your file] to solve it.

Answer 3

Since apple removed this functionality, you can still build your own local copy of openssh that is compatible with gssapi (via adding some gssapi patches).

$ brew tap rdp/homebrew-openssh-gssapi

$ brew install rdp/homebrew-openssh-gssapi/openssh-patched --with-gssapi-support

then restart your terminal session and you should be in business. It creates a new /usr/local/bin/ssh executable that is Kerberos fluent, and, with typical install of homebrew, that one should end up first in your PATH so the one used by default now. There are also some other patch options to that tap as well (--with-hpn faster for large files, and --with-keychain-support) see it's README if interested.

Background: If you still want Kerberos ticket functionality (i.e. ssh without identity key file and without having to enter password), or the "hpn openssh patch" (purportedly speeds up large file transfer) or the "keychain patch", here's a way to install your own copy of a version of openssh that supports them (this happens to also overcome the OP's problem):

We'll use homebrew for it.

Turns out that homebrew "used to" support an openssh install option called --with-gssapi-support that would give you an ssh/scp that supported kerberos tickets.

This may have been removed inadvertently with their update to version 6.6p1 of openssh [?] . Some tickets have been proposed to "re add it" since then, but the maintainers went through a fiasco of some kind with the "keychain" patch and they've resolved to try and keep their openssh formula much more vanilla than they used to, so rejected subsequent proposals.

They suggest creating a "tap" if you want the patches back. See above for one with the patches available.

Another option is to use ssh identity key files (authentication/authorized keys) instead of Kerberos, then you can still use the default provided ssh as is.

Another alternative is to use macports openssh package, which has good support for openssh with Kerberos (as an install option), similar to the homebrew tap mentioned.

Answer 4

One line answer - run this to remove the GSSAPITrustDns line:

sed -i".backup"  '/GSSAPITrustDns/d' ~/.ssh/config

Creates a copy & updates : ~/.ssh/config

Answer 5

Fix for SSH 10.12:

sudo nano /etc/ssh/ssh_config

Comment out with a #:

• GSSAPIKeyExchange no
• GSSAPITrustDNS no
• type Control+o
• type Control+x

Answer 6

Comment the following lines in /etc/ssh/ssh_config from

# System-wide defaults set by MIT Kerberos Extras
Host *
  GSSAPIAuthentication yes
  GSSAPIDelegateCredentials yes
  GSSAPIKeyExchange yes

to

# System-wide defaults set by MIT Kerberos Extras
#Host *
#  GSSAPIAuthentication yes
#  GSSAPIDelegateCredentials yes
#  GSSAPIKeyExchange yes