Re: OpenSSH Re: rawhide report: 20040608 changes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Jun 08, 2004 at 02:44:43PM -0600, Stephen Smoogen wrote:
> On Tue, 2004-06-08 at 11:34, Nalin Dahyabhai wrote:
> > The gssapi-with-mic support is authentication only AFAIK.  So no gssapi
> > key exchange, which you may miss if you had gotten used to not having to
> > accept (or even create) ssh host public keys.  The credential forwarding
> > works well.
> 
> ah ok. that is where I was fuzzy on where gssapi key exchange came into
> play. It is where the kerberos server authenticates the client to the
> server and server to client?

I think you're referring to mutual authentication, which is requested by
the client, so you can breathe easy.

To perform gssapi authentication, your servers need host keys in their
keytabs (for the benefit of others, keys for "host/fqdn@REALM" in
/etc/krb5.keytab), but the initial key exchange is still performed using
the host's public/private key pairs, so you'll still need those.

> Getting the credential forwarding is actually the big issue for most of
> the scientists.

You'll need to turn on GSSAPIDelegateCredentials for a given host,
otherwise it seems to work quite well.

Nalin



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux