Package: openssh-client
Version: 1:8.4p1-5
Severity: normal

Dear Maintainer,

   * What led up to the situation?

After upgrading to Debian 11, using ssh to connect to one of my machines took a 
very long time.
The time is spent in:

debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_1000)

This happens twice and takes a total of around 100 seconds. The first few tries 
I figured my VM had
half-died because ssh just sat there.

After a while I figured out disabling GSSAPIAuthentication helped. But the 
manpage is confusing.

ssh_config(5) says:

             Specifies whether user authentication based on GSSAPI is allowed.  
The default is no.

it also says:

     Note that the Debian openssh-client package sets several options as 
standard in
     /etc/ssh/ssh_config which are not the default in ssh(1):

           o   Include /etc/ssh/ssh_config.d/*.conf
           o   SendEnv LANG LC_*
           o   HashKnownHosts yes
           o   GSSAPIAuthentication yes

but I usually search manpages, not read them end to end. So, the bit about 
Debian defaults being different is very hard to miss. Perhaps the sections on 
those four options could grow a few words repeating the changes that Debian did.

-- System Information:
Debian Release: 11.2
  APT prefers stable-security
  APT policy: (500, 'stable-security'), (500, 'stable-debug'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.10.0-10-amd64 (SMP w/12 CPU threads)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), 
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages openssh-client depends on:
ii  adduser           3.118
ii  dpkg              1.20.9
ii  libc6             2.31-13+deb11u2
ii  libedit2          3.1-20191231-2+b1
ii  libfido2-1        1.6.0-2
ii  libgssapi-krb5-2  1.18.3-6+deb11u1
ii  libselinux1       3.1-3
ii  libssl1.1         1.1.1k-1+deb11u1
ii  passwd            1:4.8.1-1
ii  zlib1g            1:1.2.11.dfsg-2

Versions of packages openssh-client recommends:
ii  xauth  1:1.1-1

Versions of packages openssh-client suggests:
pn  keychain      <none>
pn  libpam-ssh    <none>
pn  monkeysphere  <none>
pn  ssh-askpass   <none>

-- Configuration Files:
/etc/ssh/ssh_config changed:
Include /etc/ssh/ssh_config.d/*.conf
Host *
    SendEnv LANG LC_*
    HashKnownHosts yes
    GSSAPIAuthentication no

-- no debconf information

Reply via email to