On Mon, Mar 7, 2011 at 7:14 AM, John Hodrien <J.H.Hodrien at leeds.ac.uk> wrote: > On Mon, 7 Mar 2011, Nico Kadel-Garcia wrote: > >> Have you backported OpenSSH 5.x to CentOS 5? Because I don't see the >> full features set without OpenSSH 5.x, such as "GSSApiKeyExchange". > > Nope, I like the simple life. > >> Hmm. What you've described is an ssh_config option, which is set to >> "no" by default. I'll have to look into that. There have been some >> interesting..... traction issues with using the backported OpenSSH 5.x >> I'm currently reliant on for CentOS 5 and RHEL 5. > > I'm stock 5.5: > > openssh-server-4.3p2-41.el5_5.1 > openssh-4.3p2-41.el5_5.1 > openssh-clients-4.3p2-41.el5_5.1 > > Server needs: > > GSSAPIAuthentication yes > GSSAPICleanupCredentials yes > > Most probably you also want: > > AllowGroups blah > > Client needs: > > GSSAPIAuthentication yes > > If you want key forwarding, you also need: > > GSSAPIDelegateCredentials yes > > Works like a charm, and GSSAPI auth works with putty, delegation doesn't seem > to. If this works, you've just solved a *BIG* problem for me: I'd been handed (ordered before I arrived on the site) the issues of getting Centrify OpenSSH to play nicely, and this avoids the "OpenSSH 5.x does not read .bashrc and read user aliases for remote ssh commands" problem I've been facing, while preserving the effective GSSAPI credentials handling. *Good* admin. And are you coming to the Boston are, so I can buy you a decent local beer? (I'm not in London anymore.) Why aren't you over on the comp.security.ssh?