Bug#409360: openssh-client: Disabling GSSAPIAuthentication option by default

[Colin Watson <cjwatson@debian.org>]

On Fri, Mar 30, 2007 at 08:03:11PM +0200, Moritz Augustin wrote:
> I would also like to see the option disabled by default, because I think most 
> of the users dealing with Kerberos authentication issues know about the 
> neccessary config parts.
> People (like me) are wondering why connecting to local servers (without DNS) 
> is that slow. 10 seconds per connection attempt.

I think it may be slightly unfair to blame GSSAPIAuthentication for
this. It happens that ssh does a reverse DNS lookup on the
GSSAPIAuthentication path, but that's essentially incidental, and it
doesn't seem to me that it would be fundamentally impossible to fix.
It's compounded by the presence of avahi and the fact that its reverse
DNS lookups are very slow, of course; one solution that was suggested to
me was to change this line in /etc/nsswitch.conf:

  hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4

... to:

  hosts:          files mdns4_minimal [NOTFOUND=return] dns

I would like to avoid the extra reverse DNS lookup if possible, though.
I looked into the source and couldn't entirely see what was going on, as
a chunk of it was buried in the bowels of krb5. Russ, do you have any
ideas here?

-- 
Colin Watson                                       [cjwatson@debian.org]