Hi,
there is a bug in SL5's openssh client which is introduced by RetHat's
openssh-4.3p2-gssapi-canohost.patch, if you use Kerberos5 authentication
in
conjunction with the "ProxyCommand" option.
To verify the bug run
ssh -v -o "ProxyCommand nc %h %p" -o "PasswordAuthentication no" -o
"PubkeyAuthentication no" -o "GSSAPIAuthentication yes" $HOST "echo work
s"
on a host which allows login with a Kerberos5 ticket.
On SL5 openssh fails with
[...]
debug1: Next authentication method: gssapi-with-mic
debug1: An invalid name was supplied
Hostname cannot be canonicalized
[...]
With a vanilla build of openssh this command succeeds.
The fedora project already uses a fixed version of th
openssh-4.3p2-gssapi-canohost.path
http://cvs.fedoraproject.org/viewvc/rpms/openssh/devel/openssh-4.3p2-gssa
pi-canohost.patch?sortdir=down&view=log
Could you backport the fixed patch to the SL5 openssh packages?
Cheers,
Jörgen Samson