On Mon, Mar 7, 2011 at 7:14 AM, John Hodrien <J.H.Hodrien@xxxxxxxxxxx> wrote:
> On Mon, 7 Mar 2011, Nico Kadel-Garcia wrote:
>
>> Have you backported OpenSSH 5.x to CentOS 5? Because I don't see the
>> full features set without OpenSSH 5.x, such as "GSSApiKeyExchange".
>
> Nope, I like the simple life.
>
>> Hmm. What you've described is an ssh_config option, which is set to
>> "no" by default. I'll have to look into that. There have been some
>> interesting..... traction issues with using the backported OpenSSH 5.x
>> I'm currently reliant on for CentOS 5 and RHEL 5.
>
> I'm stock 5.5:
>
> openssh-server-4.3p2-41.el5_5.1
> openssh-4.3p2-41.el5_5.1
> openssh-clients-4.3p2-41.el5_5.1
>
> Server needs:
>
> GSSAPIAuthentication yes
> GSSAPICleanupCredentials yes
>
> Most probably you also want:
>
> AllowGroups blah
>
> Client needs:
>
> GSSAPIAuthentication yes
>
> If you want key forwarding, you also need:
>
> GSSAPIDelegateCredentials yes
>
> Works like a charm, and GSSAPI auth works with putty, delegation doesn't seem
> to.
If this works, you've just solved a *BIG* problem for me: I'd been
handed (ordered before I arrived on the site) the issues of getting
Centrify OpenSSH to play nicely, and this avoids the "OpenSSH 5.x does
not read .bashrc and read user aliases for remote ssh commands"
problem I've been facing, while preserving the effective GSSAPI
credentials handling.
*Good* admin. And are you coming to the Boston are, so I can buy you a
decent local beer? (I'm not in London anymore.) Why aren't you over
on the comp.security.ssh?
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
