41

Debugging a Nagios warning on ssh, I've discovered that gssapi-with-mic is causing long lags in authentication. I've turned it off, but what exactly am I missing? I gather that GSSAPI is a tool for authentication, but what about the -with-mic part?

Bryan
  • 13
  • 1
  • 5
jldugger
  • 14,342
  • 20
  • 77
  • 129

3 Answers3

31

Message Integrity Code.

This is also called a Message Authentication Code, but that acronym gets used for other things, so MIC is less ambiguous. From that Wikipedia page:

The term message integrity code (MIC) is frequently substituted for the term MAC, especially in communications, where the acronym MAC traditionally stands for Media Access Control.

ijw
  • 137
  • 7
Alan
  • 856
  • 1
  • 9
  • 18
  • 3
    MAC doesn't stand for Media Access Control but for Message Authentication Code (see [Wikipedia:hmac](https://en.wikipedia.org/wiki/HMAC)) – Ikke Jun 19 '12 at 07:09
  • 16
    @Ikke Actually it stands for both (which is why `MIC` has come into use, to disambiguate the two when talking about a MAC (message authentication code) associated with data transmitted across networks that use MACs (Media Access Control addresses)). – voretaq7 Aug 06 '12 at 22:00
  • 3
    @voretaq7 You're completely right. I misread the answer. – Ikke Aug 07 '12 at 07:52
  • 12
    Oh, I though it was a microphone and I wondered what the heck. – Vlasec Jan 14 '16 at 12:17
4

The fix is simple: disable attempts to use GSS-API by adding the following to ~/.ssh/config:

GSSAPIAuthentication no
Andrew Schulman
  • 8,811
  • 21
  • 32
  • 47
avlsubbarao
  • 49
  • 1
1

GSSAPI Authentication is typically used with Kerberos. Kerberos must be configured on both the server and client. If you are not using Kerberos, then you probably do not need it. If you are just using password or SSH keys to log in to your server you likely do not need GSSAPI, and you can disable it in the sshd_config file.

Set in the /etc/ssh/sshd_config

GSSAPIAuthentication no

As for the "with-mic" part, there are two authentication methods for GSSAPI; with-mic and -keyex. The MIC stands for message integrity code. And from what I gather from reading the RFC-4462 it is generated by the client using many of the agreed upon connection parameters and is hashed several times. Read more

Community
  • 1
J Roysdon
  • 141
  • 4