when I use user@ip to login remote system, it report like this:
debug1: /etc/ssh/ssh_config line 17: Applying options for *
/etc/ssh/ssh_config: line 20: Bad configuration option: gssapikeyexchange
/etc/ssh/ssh_config: line 21: Bad configuration option: gssapitrustdns
/etc/ssh/ssh_config: terminating, 2 bad configuration options
Comment the following lines in /etc/ssh/ssh_config
from
# System-wide defaults set by MIT Kerberos Extras
Host *
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
GSSAPIKeyExchange yes
to
# System-wide defaults set by MIT Kerberos Extras
#Host *
# GSSAPIAuthentication yes
# GSSAPIDelegateCredentials yes
# GSSAPIKeyExchange yes
One way to solve this question is copy a ssh binary from an older Mac and place this binary in path before /usr/bin/ssh, ex: (copy from el capitan box) /usr/bin/ssh => ~/bin/ssh, then add $HOME/bin to your PATH before anything else.
The reason is GSSAPITrustDNS and GSSAPIKeyExchange patches are no longer applied by apple, Starting with Sierra when they upgraded OpenSSH to 7.2p2, So one options is to downgrade to the old OS version, if you have to use kerberos+ ssh.
You probably just need to disable GSSAPITrustDns in the ssh config.
vi ~/.ssh/config
:%s/GSSAPITrustDns/# GSSAPITrustDns/g
:wq
Similarly, comment other options also, like gssapikeyexchange etc.
One line answer - run this to remove the GSSAPITrustDns line:
sed -i".backup" '/GSSAPITrustDns/d' ~/.ssh/config
Creates a copy & updates : ~/.ssh/config
Another option: build your own local copy of openssh that is compatible with gssapi (via some gssapi patches).
Background: If you still want Kerberos ticket functionality (i.e. ssh without identity key file and without having to enter password), or the "hpn openssh patch" (purportedly speeds up large file transfer) or the "keychain patch", here's a way to install your own copy of a version of openssh that supports them (this happens to also overcome the OP's problem):
We'll use homebrew for it.
Turns out that homebrew "used to" support an openssh install option called --with-gssapi-support that would give you an ssh/scp that supported kerberos tickets.
This may have been removed inadvertently with their update to version 6.6p1 of openssh [?] . Some tickets have been proposed to "re add it" since then, but the maintainers went through a fiasco of some kind with the "keychain" patch and they've resolved to try and keep their openssh formula much more vanilla than they used to, so rejected subsequent proposals.
They suggest creating a "tap" if you want the patches back. Here's one with the patches available. To install this new and improved version of ssh: $ brew install rdp/homebrew-openssh-gssapi/openssh-patched --with-gssapi-support
then restart your terminal session and you should be in business, it'll create a new /usr/local/bin/ssh executable that is Kerberos fluent, and, with typical install of homebrew, that one should end up first in your PATH so the one used by default now. There are also some other patch options to that tap as well (hpn and keychain-support) see it's README if interested.
Another option is to use ssh identity key files (authentication/authoried keys) instead of Kerberos, then you can still use the default provided ssh as is.
Another option is to use macports openssh package, which has good support for openssh with Kerberos (as an install option).
Fix for SSH 10.12:
sudo nano /etc/ssh/ssh_config
Comment out with a #:
My config /etc/ssh/ssh_config was ok and was never changed, I found in ~/.ssh/config the rows I needed to change and it solve that issue.
if you are getting:
Permissions 0644 for ‘~/.ssh/id_rsa[your file]’ are too open
run: chmod 600 ~/.ssh/id_rsa[your file] to solve it.
You can try to remove ~/.ssh/config file. It worked for me!
