Subject: | |
From: | |
Reply To: | Robert D. Kennedy |
Date: | Fri, 15 Jul 2005 20:53:40 -0500 |
Content-Type: | multipart/signed |
Parts/Attachments: |
|
|
Hello,
Perhaps this is in the release notes, or in a previous thread,
and if so I apologize. We have many hosts which we must access to
support production services running older versions of ssh and openssh...
that come with RH 7.3 and SL3... ones that know and use the "gssapi"
authentication mechanism. Since openssh 3.8:
* The experimental "gssapi" support has been replaced with
the "gssapi-with-mic" to fix possible MITM attacks.
The two versions are not compatible.
And that is my experience... clients of one do not authenticate with
servers of the other. Gssapi and gssapi-with-mic are wholely
incompatible. I have been holding back, or recommending holding back,
machines to the older ssh with gssapi, but am starting to get nervous.
Since SL4 ships with the gssapi-with-mic openssh, and I would dearly
like to upgrade to it without losing kerberos authentication in ssh
(want that ssh tunnel to support X11 through a NAT), is there something
I am overlooking? Do we have only a choice between burning "access"
bridges by upgrading to openssh 3.9 or retain an old and possibly
insecure version of openssh on an otherwise upgraded OS? This seems like
a big issue for a largely kerberos-oriented site (such as Fermilab)...
yet I have not heard anything or googled anything substantial on the topic.
Thanks,
Rob Kennedy
|
|
|