Silence `Unsupported option "gssapi*"` errors

[aspiwack]

When connecting to a machine it deployed (at least on virtualbox), nixops emits numerous time warnings of the form:

machine> /etc/ssh/ssh_config line 53: Unsupported option "gssapiauthentication"
machine> /etc/ssh/ssh_config line 54: Unsupported option "gssapidelegatecredentials"

These warning are innocuous, but they tend to make co-workers uneasy. It would be appreciable if there was a way to silence them.

[domenkozar]

@aspiwack what nixos-version is this?

[aspiwack]

@domenkozar sorry, I should have specified that: I'm not on a NixOS. I'm using an Ubuntu (15.10 at the time, 16.04 now).

[domenkozar]

@aspiwack and deploying NixOS 16.03 inside the guest?

[aspiwack]

# nixos-version 
16.03pre-git (Emu)

It had been pinned for reproducibility a while ago now. I could try to upgrade to a more recent version if that would help.

[berdario]

I think the simplest solution is for either you to remove the related options from /etc/ssh/ssh_config

or to install ssh with kerberos enabled as a dependency of nixops. openssh is one of the arguments of nixops/generic.nix, but unfortunately it's not exposed as one of the arguments of nixops/default.nix if it were, you could simply select with (nixops.override {openssh=openssh_with_kerberos;}) inside your config.nix

Otherwise, you can do overrideDerivation, but that seems dirtier

[hectorj]

These warnings are still here with NixOs 17.09pre108299.ec9a23332f (Hummingbird) (provisioned by NixOps 1.5.1pre2169_8f4a67c).

These warning are innocuous, but they tend to make co-workers uneasy. It would be appreciable if there was a way to silence them.

I agree. Default config should not generate warnings like this IMHO.

[grantwwu]

I propose that openssh_with_kerberos be the default openssh.

[grantwwu]

Okay, for anyone who wants to fix these issues who's using Nix but not NixOS (I'm not sure how this would be fixed on NixOS, I'm sure someone who knows more could easily adapt this solution). Credit goes to @cleverca22.

Add this to your ~/.config/nixpkgs/config.nix

{ packageOverrides = pkgs: { openssh = pkgs.appendToName "with-kerberos" (pkgs.openssh.override { withKerberos = true; }); }; }

Now you need to reinstall any packages that depend on OpenSSH.

For OpenSSH, you need to use nix-env -iA nixpkgs.openssh. nix-env -i git works normally.

[osa1]

@grantwwu do I have to re-install anything after adding this line to nixpkgs config? I'm still getting same errors after nixops deploy.

[grantwwu]

@osa1 From the original post:

Now you need to reinstall any packages that depend on OpenSSH.

Sorry I can't be of more assistance; I'm not really sure how to go about enumerating which packages depend on OpenSSH, or how this interacts with Nixops.

[aneeshusa]

I've just posted https://github.com/NixOS/nixpkgs/pull/34348 to enable Kerberos by default in the OpenSSH package.

[aneeshusa]

FYI, that PR was merged and openssh with Kerberos is now the default, so this should be fixed if you have a new enough NixOS on your machines.

[hmenke]

These warnings are back now for all of us occasional Kerberos users to enjoy! https://github.com/NixOS/nixpkgs/pull/302688

[djds]

man 5 ssh_config | grep -A2 IgnoreUnknown
       IgnoreUnknown
              Specifies  a  pattern-list  of unknown options to be ignored if they are encountered in configuration parsing.
              This may be used to suppress errors if ssh_config contains options that are unrecognised  by  ssh(1).   It  is
              recommended  that IgnoreUnknown be listed early in the configuration file as it will not be applied to unknown
              options that appear before it.

If you use the home-manager ssh module, you can do something like:

home-manager.users.<name>.programs.ssh.matchBloccks."*".extraOptions.IgnoreUnknown = "gssapikexalgorithms,gssapiauthentication,gssapidelegatecredentials";