macOS Sierra broke SSH Kerberos authentication
I asked this in the SSH mailing list [email protected] and I got this answer:
The GSSAPITrustDNS was never part of portable OpenSSH. This option originally comes from third party extending kerberos support in OpenSSH, which is no longer maintained, but can be simply rebased on the current sources.
The problem in this case is Apple dropping this patch used by many people, so the Apple is the place where you should ask (or your OpenSSH packager of your favorite repository).
http://marc.info/?l=openssh-unix-dev&m=147850754710753&w=2
It seems that we have to ask apple to put this feature back.
Apparently apple used to apply some GSSAPI patches to their openssh version, but have recently stopped doing it. Fix: build your own with the patches: https://stackoverflow.com/a/46454141/32453