Package: openssh-client Version: 1:8.4p1-5 Severity: normal X-Debbugs-Cc: pe...@7bits.nl
Dear Maintainer, * What led up to the situation? After upgrading to Debian 11, using ssh to connect to one of my machines took a very long time. The time is spent in: debug1: Next authentication method: gssapi-with-mic debug1: Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_1000) This happens twice and takes a total of around 100 seconds. The first few tries I figured my VM had half-died because ssh just sat there. After a while I figured out disabling GSSAPIAuthentication helped. But the manpage is confusing. ssh_config(5) says: GSSAPIAuthentication Specifies whether user authentication based on GSSAPI is allowed. The default is no. it also says: Note that the Debian openssh-client package sets several options as standard in /etc/ssh/ssh_config which are not the default in ssh(1): o Include /etc/ssh/ssh_config.d/*.conf o SendEnv LANG LC_* o HashKnownHosts yes o GSSAPIAuthentication yes but I usually search manpages, not read them end to end. So, the bit about Debian defaults being different is very hard to miss. Perhaps the sections on those four options could grow a few words repeating the changes that Debian did. -- System Information: Debian Release: 11.2 APT prefers stable-security APT policy: (500, 'stable-security'), (500, 'stable-debug'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.10.0-10-amd64 (SMP w/12 CPU threads) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages openssh-client depends on: ii adduser 3.118 ii dpkg 1.20.9 ii libc6 2.31-13+deb11u2 ii libedit2 3.1-20191231-2+b1 ii libfido2-1 1.6.0-2 ii libgssapi-krb5-2 1.18.3-6+deb11u1 ii libselinux1 3.1-3 ii libssl1.1 1.1.1k-1+deb11u1 ii passwd 1:4.8.1-1 ii zlib1g 1:1.2.11.dfsg-2 Versions of packages openssh-client recommends: ii xauth 1:1.1-1 Versions of packages openssh-client suggests: pn keychain <none> pn libpam-ssh <none> pn monkeysphere <none> pn ssh-askpass <none> -- Configuration Files: /etc/ssh/ssh_config changed: Include /etc/ssh/ssh_config.d/*.conf Host * SendEnv LANG LC_* HashKnownHosts yes GSSAPIAuthentication no -- no debconf information