salt-ssh disables GSSAPIAuthentication when it is supported

[seanorama]

Description of Issue/Question

salt-ssh is sending -o GSSAPIAuthentication=no when GSSAPIAuthentication is supported and is enabled in /etc/ssh/ssh_config and ~/.ssh/config

Setup

salt-ssh:
  ssh_wipe: True

roster_defaults:
  user: sean

Steps to Reproduce Issue

Notice salt-ssh disabling GSSAPIAuthenication

$ salt-ssh -l debug 'testhost' test.ping
[INFO    ] Loading Saltfile from '/home/sean/salt/Saltfile'
[DEBUG   ] Reading configuration from /home/sean/salt/Saltfile
[DEBUG   ] Reading configuration from /home/sean/salt/etc/master
[DEBUG   ] Configuration file path: /home/sean/salt/etc/master
[WARNING ] Insecure logging configuration detected! Sensitive data may be logged.
[DEBUG   ] LazyLoaded flat.targets
[DEBUG   ] LazyLoaded jinja.render
[DEBUG   ] LazyLoaded yaml.render
[DEBUG   ] compile template: /home/sean/salt/etc/roster
[DEBUG   ] Jinja search path: [u'/home/sean/salt/var/cache/salt/master/files/base']
[DEBUG   ] LazyLoaded roots.envs
[DEBUG   ] Could not LazyLoad roots.init: 'roots.init' is not available.
[DEBUG   ] Updating roots fileserver cache
[PROFILE ] Time (in seconds) to render '/home/sean/salt/etc/roster' using 'jinja' renderer: 0.0232079029083
[DEBUG   ] Rendered data from file: /home/sean/salt/etc/roster:
testhost: testhost

[DEBUG   ] Results of YAML rendering:
OrderedDict([(u'testhost', u'testhost')])
[PROFILE ] Time (in seconds) to render '/home/sean/salt/etc/roster' using 'yaml' renderer: 0.00248312950134
[DEBUG   ] Matched minions: {u'testhost': {u'host': u'testhost', u'tty': True, u'user': u'sean'}}
[DEBUG   ] LazyLoaded roots.envs
[DEBUG   ] Could not LazyLoad roots.init: 'roots.init' is not available.
[DEBUG   ] Updating roots fileserver cache
[DEBUG   ] LazyLoaded local_cache.prep_jid
[DEBUG   ] Adding minions for job 20180712204141804651: [u'testhost']
[DEBUG   ] Could not LazyLoad test.ping: 'test.ping' is not available.
[DEBUG   ] Performing shimmed, blocking command as follows:
test.ping
[DEBUG   ] Executing command: ssh testhost -t -t -o KbdInteractiveAuthentication=no -o PasswordAuthentication=no -o GSSAPIAuthentication=no -o ConnectTimeout=65 -o Port=22 -o IdentityFile=/home/sean/salt/etc/salt/pki/master/ssh/salt-ssh.rsa -o User=sean  mkdir -p
[DEBUG   ] Child Forked! PID: 62250  STDOUT_FD: 11  STDERR_FD: 13
[DEBUG   ] Terminal Command: /bin/sh -c ssh testhost -t -t -o KbdInteractiveAuthentication=no -o PasswordAuthentication=no -o GSSAPIAuthentication=no -o ConnectTimeout=65 -o Port=22 -o IdentityFile=/home/sean/salt/etc/salt/pki/master/ssh/salt-ssh.rsa -o User=sean  mkdir -p
[DEBUG   ] Executing command: scp -o KbdInteractiveAuthentication=no -o PasswordAuthentication=no -o GSSAPIAuthentication=no -o ConnectTimeout=65 -o Port=22 -o IdentityFile=/home/sean/salt/etc/salt/pki/master/ssh/salt-ssh.rsa -o User=sean  /tmp/shim_5jNxRZ testhost:.bb107630c10a.py
[DEBUG   ] Child Forked! PID: 62251  STDOUT_FD: 11  STDERR_FD: 13
[DEBUG   ] Terminal Command: /bin/sh -c scp -o KbdInteractiveAuthentication=no -o PasswordAuthentication=no -o GSSAPIAuthentication=no -o ConnectTimeout=65 -o Port=22 -o IdentityFile=/home/sean/salt/etc/salt/pki/master/ssh/salt-ssh.rsa -o User=sean  /tmp/shim_5jNxRZ testhost:.bb107630c10a.py
[DEBUG   ] Executing command: ssh testhost -t -t -o KbdInteractiveAuthentication=no -o PasswordAuthentication=no -o GSSAPIAuthentication=no -o ConnectTimeout=65 -o Port=22 -o IdentityFile=/home/sean/salt/etc/salt/pki/master/ssh/salt-ssh.rsa -o User=sean  /bin/sh '$HOME/.bb107630c10a.py'
[DEBUG   ] Child Forked! PID: 62253  STDOUT_FD: 11  STDERR_FD: 13
[DEBUG   ] Terminal Command: /bin/sh -c ssh testhost -t -t -o KbdInteractiveAuthentication=no -o PasswordAuthentication=no -o GSSAPIAuthentication=no -o ConnectTimeout=65 -o Port=22 -o IdentityFile=/home/sean/salt/etc/salt/pki/master/ssh/salt-ssh.rsa -o User=sean  /bin/sh '$HOME/.bb107630c10a.py'
[DEBUG   ] Executing command: ssh testhost -t -t -o KbdInteractiveAuthentication=no -o PasswordAuthentication=no -o GSSAPIAuthentication=no -o ConnectTimeout=65 -o Port=22 -o IdentityFile=/home/sean/salt/etc/salt/pki/master/ssh/salt-ssh.rsa -o User=sean  rm '$HOME/.bb107630c10a.py'
[DEBUG   ] Child Forked! PID: 62254  STDOUT_FD: 11  STDERR_FD: 13
[DEBUG   ] Terminal Command: /bin/sh -c ssh testhost -t -t -o KbdInteractiveAuthentication=no -o PasswordAuthentication=no -o GSSAPIAuthentication=no -o ConnectTimeout=65 -o Port=22 -o IdentityFile=/home/sean/salt/etc/salt/pki/master/ssh/salt-ssh.rsa -o User=sean  rm '$HOME/.bb107630c10a.py'
[DEBUG   ] RETCODE testhost: 254
[DEBUG   ] SHIM retcode(254) and command:
Permission denied for host testhost, do you want to deploy the salt-ssh key? (password required):
[Y/n]

But SSH works automatically using GSSAPI:

$ ssh -v testhost
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017
debug1: Reading configuration data /home/sean/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 58: Applying options for *
debug1: Connecting to testhost [10.1.19.165] port 22.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /home/sean/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/sean/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/sean/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/sean/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/sean/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/sean/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/sean/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/sean/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
debug1: match: OpenSSH_7.4 pat OpenSSH* compat 0x04000000
debug1: Authenticating to testhost:22 as 'sean'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: curve25519-sha256 need=64 dh_need=64
debug1: kex: curve25519-sha256 need=64 dh_need=64
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:...
debug1: Host 'testhost' is known and matches the ECDSA host key.
debug1: Found key in /home/sean/.ssh/known_hosts:3
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Authentication succeeded (gssapi-with-mic).
Authenticated to testhost ([10.1.19.165]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: Sending environment.
debug1: Sending env LANG = en_GB.UTF-8
Last login: Thu Jul 12 20:11:24 2018 from 10.1.19.10
[sean@testhost ~]$

Versions Report

$ salt-ssh --versions
Salt Version:
           Salt: 2018.3.2

Dependency Versions:
           cffi: Not Installed
       cherrypy: Not Installed
       dateutil: 2.7.3
      docker-py: Not Installed
          gitdb: Not Installed
      gitpython: Not Installed
          ioflo: Not Installed
         Jinja2: 2.7.2
        libgit2: Not Installed
        libnacl: Not Installed
       M2Crypto: 0.21.1
           Mako: Not Installed
   msgpack-pure: Not Installed
 msgpack-python: 0.5.6
   mysql-python: Not Installed
      pycparser: Not Installed
       pycrypto: 2.6.1
   pycryptodome: Not Installed
         pygit2: Not Installed
         Python: 2.7.5 (default, May  3 2017, 07:55:04)
   python-gnupg: Not Installed
         PyYAML: 3.10
          PyZMQ: 14.3.1
           RAET: Not Installed
          smmap: Not Installed
        timelib: Not Installed
        Tornado: 4.2.1
            ZMQ: 3.2.5

System Versions:
           dist: redhat 7.4 Maipo
         locale: UTF-8
        machine: x86_64
        release: 3.10.0-693.el7.x86_64
         system: Linux
        version: Red Hat Enterprise Linux Server 7.4 Maipo

[Ch3LL]

it looks like currently its hardcoded as an option if self.opts.get('_ssh_version', (0,)) > (4, 9): so will approve as a feature to look into adding it as an option the user can set: https://github.com/saltstack/salt/blob/v2018.3.2/salt/client/ssh/shell.py#L128

[seanorama]

Thanks

Why is salt-ssh passing these configs at all?

They are defined in /etc/ssh/ssh_config and ~/.ssh/config. It shouldn't silently override the system/user configs.

[Ch3LL]

i'm not sure why this setting was hardcoded. @thatch45 do you know why this was initially hardcoded?

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

If this issue is closed prematurely, please leave a comment and we will gladly reopen the issue.

[sridhargude]

@Ch3LL Can we please re-open this issue? Is there any alternative to resolve this problem?

[sagetherage]

stale bot died, so that shouldn't be a problem here, again.