Bug#1003244: openssh-client: ssh_config manpage has conflicting information about Debian-specific changes to defaults

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1003244: openssh-client: ssh_config manpage has conflicting information about Debian-specific changes to defaults
From: Peter van Dijk <peter@7bits.nl>
Date: Thu, 06 Jan 2022 23:04:01 +0100
Message-id: <[🔎] 164150664120.1215494.11319377217843846423.reportbug@plato>
Reply-to: Peter van Dijk <peter@7bits.nl>, 1003244@bugs.debian.org

Package: openssh-client
Version: 1:8.4p1-5
Severity: normal
X-Debbugs-Cc: peter@7bits.nl

Dear Maintainer,

   * What led up to the situation?

After upgrading to Debian 11, using ssh to connect to one of my machines took a very long time.
The time is spent in:

debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_1000)

This happens twice and takes a total of around 100 seconds. The first few tries I figured my VM had
half-died because ssh just sat there.

After a while I figured out disabling GSSAPIAuthentication helped. But the manpage is confusing.

ssh_config(5) says:

     GSSAPIAuthentication
             Specifies whether user authentication based on GSSAPI is allowed.  The default is no.

it also says:

     Note that the Debian openssh-client package sets several options as standard in
     /etc/ssh/ssh_config which are not the default in ssh(1):

           o   Include /etc/ssh/ssh_config.d/*.conf
           o   SendEnv LANG LC_*
           o   HashKnownHosts yes
           o   GSSAPIAuthentication yes

but I usually search manpages, not read them end to end. So, the bit about Debian defaults being different is very hard to miss. Perhaps the sections on those four options could grow a few words repeating the changes that Debian did.


-- System Information:
Debian Release: 11.2
  APT prefers stable-security
  APT policy: (500, 'stable-security'), (500, 'stable-debug'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.10.0-10-amd64 (SMP w/12 CPU threads)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages openssh-client depends on:
ii  adduser           3.118
ii  dpkg              1.20.9
ii  libc6             2.31-13+deb11u2
ii  libedit2          3.1-20191231-2+b1
ii  libfido2-1        1.6.0-2
ii  libgssapi-krb5-2  1.18.3-6+deb11u1
ii  libselinux1       3.1-3
ii  libssl1.1         1.1.1k-1+deb11u1
ii  passwd            1:4.8.1-1
ii  zlib1g            1:1.2.11.dfsg-2

Versions of packages openssh-client recommends:
ii  xauth  1:1.1-1

Versions of packages openssh-client suggests:
pn  keychain      <none>
pn  libpam-ssh    <none>
pn  monkeysphere  <none>
pn  ssh-askpass   <none>

-- Configuration Files:
/etc/ssh/ssh_config changed:
Include /etc/ssh/ssh_config.d/*.conf
Host *
    SendEnv LANG LC_*
    HashKnownHosts yes
    GSSAPIAuthentication no


-- no debconf information

Reply to:

Prev by Date: Bug#1003046: openssh-client-ssh1: use /etc/ssh/ssh1_config as default config file
Next by Date: Bug#24559: Examples
Previous by thread: Bug#1003046: openssh-client-ssh1: use /etc/ssh/ssh1_config as default config file
Next by thread: Bug#24559: Examples
Index(es):
- Date
- Thread