On Sat, 2005-07-16 at 03:53, Robert D. Kennedy wrote:
..
> And that is my experience... clients of one do not authenticate with 
> servers of the other. Gssapi and gssapi-with-mic are wholely 
> incompatible. I have been holding back, or recommending holding back, 
> machines to the older ssh with gssapi, but am starting to get nervous. 
> Since SL4 ships with the gssapi-with-mic openssh, and I would dearly 
> like to upgrade to it without losing kerberos authentication in ssh 
> (want that ssh tunnel to support X11 through a NAT), is there something 
> I am overlooking? Do we have only a choice between burning "access" 
> bridges by upgrading to openssh 3.9 or retain an old and possibly 
> insecure version of openssh on an otherwise upgraded OS? This seems like 
> a big issue for a largely kerberos-oriented site (such as Fermilab)... 
> yet I have not heard anything or googled anything substantial on the topic.

I believe that some openssh-3.9 version (sorry, lost the matching .spec
file) from Red Hat actually carried both "gssapi" and "gssapi-with-mic"
patches for some time to ease the transition. Original "transition"
patch available from
http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=107826289602763&w=2

CERN runs its own version of Openssh since <forever>. That version is
still mostly based around Kerberos4 (since we only recently moved the
AFS "KDC" to Kerberos5), so luckily we don't have a large Kerberos5
userbase. So "gssapi-with-mic" isn't so much of an issue for us... (as
long as Kerberos4 auth works, which is a different can of worms).

Regards
jan