On Mon, Mar 7, 2011 at 7:14 AM, John Hodrien J.H.Hodrien@leeds.ac.uk wrote:
On Mon, 7 Mar 2011, Nico Kadel-Garcia wrote:
Have you backported OpenSSH 5.x to CentOS 5? Because I don't see the full features set without OpenSSH 5.x, such as "GSSApiKeyExchange".
Nope, I like the simple life.
Hmm. What you've described is an ssh_config option, which is set to "no" by default. I'll have to look into that. There have been some interesting..... traction issues with using the backported OpenSSH 5.x I'm currently reliant on for CentOS 5 and RHEL 5.
I'm stock 5.5:
openssh-server-4.3p2-41.el5_5.1 openssh-4.3p2-41.el5_5.1 openssh-clients-4.3p2-41.el5_5.1
Server needs:
GSSAPIAuthentication yes GSSAPICleanupCredentials yes
Most probably you also want:
AllowGroups blah
Client needs:
GSSAPIAuthentication yes
If you want key forwarding, you also need:
GSSAPIDelegateCredentials yes
Works like a charm, and GSSAPI auth works with putty, delegation doesn't seem to.
If this works, you've just solved a *BIG* problem for me: I'd been handed (ordered before I arrived on the site) the issues of getting Centrify OpenSSH to play nicely, and this avoids the "OpenSSH 5.x does not read .bashrc and read user aliases for remote ssh commands" problem I've been facing, while preserving the effective GSSAPI credentials handling.
*Good* admin. And are you coming to the Boston are, so I can buy you a decent local beer? (I'm not in London anymore.) Why aren't you over on the comp.security.ssh?