On Fri, Nov 05, 2010 at 10:50:45AM -0700, Mike DeMarco wrote: > > ssh will try to do krb auth by default and krb > > bypasses the nsswitch to > > always try DNS to canonicalize host names. So it may > > help to config ssh > > to not try krb auth (which is basically the gssapi* > > auth methods, see > > man ssh_config). If that doesn't help, use truss or > > dtrace to see how > > dns is getting called via ssh. > > > > Will: Man pages say that GSSAPIAuthentication defaults to on. I turned it > off in the ssh_config file and it still does a dns lookup. > So what your saying is that in krb mode ssh does not do a gethostbyname ? > What does it do since gethostbyname would hit the nsswitch.
I was making an educated guess. Use truss to see exactly what it is doing. Try: truss -o truss.out -t!all -u *: ssh <ssh args> or truss -o truss.out -t!all -u *:: ssh <ssh args> for more detail (will slow ssh way down). You can also use ssh -vvv to get verbose debug info from ssh to see what auths it is trying. -- Will Fiveash Oracle http://opensolaris.org/os/project/kerberos/ Sent using mutt, a sweet, text based e-mail app <http://www.mutt.org/> _______________________________________________ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
