On Tue, Jun 08, 2004 at 02:44:43PM -0600, Stephen Smoogen wrote: > On Tue, 2004-06-08 at 11:34, Nalin Dahyabhai wrote: > > The gssapi-with-mic support is authentication only AFAIK. So no gssapi > > key exchange, which you may miss if you had gotten used to not having to > > accept (or even create) ssh host public keys. The credential forwarding > > works well. > > ah ok. that is where I was fuzzy on where gssapi key exchange came into > play. It is where the kerberos server authenticates the client to the > server and server to client? I think you're referring to mutual authentication, which is requested by the client, so you can breathe easy. To perform gssapi authentication, your servers need host keys in their keytabs (for the benefit of others, keys for "host/fqdn@REALM" in /etc/krb5.keytab), but the initial key exchange is still performed using the host's public/private key pairs, so you'll still need those. > Getting the credential forwarding is actually the big issue for most of > the scientists. You'll need to turn on GSSAPIDelegateCredentials for a given host, otherwise it seems to work quite well. Nalin
