Hi,
We've talked about this and feel it isn't something we have the
resources to maintain. Please put this bug in with The Upstream Vendor
(RedHat).
I'm sorry.
Troy
Joergen Samson wrote:
> Hi,
> there is a bug in SL5's openssh client which is introduced by RetHat's
>
> openssh-4.3p2-gssapi-canohost.patch, if you use Kerberos5 authentication
> in
> conjunction with the "ProxyCommand" option.
>
> To verify the bug run
>
> ssh -v -o "ProxyCommand nc %h %p" -o "PasswordAuthentication no" -o
> "PubkeyAuthentication no" -o "GSSAPIAuthentication yes" $HOST "echo work
> s"
>
> on a host which allows login with a Kerberos5 ticket.
>
> On SL5 openssh fails with
> [...]
> debug1: Next authentication method: gssapi-with-mic
> debug1: An invalid name was supplied
> Hostname cannot be canonicalized
> [...]
>
> With a vanilla build of openssh this command succeeds.
>
> The fedora project already uses a fixed version of th
> openssh-4.3p2-gssapi-canohost.path
>
> http://cvs.fedoraproject.org/viewvc/rpms/openssh/devel/openssh-4.3p2-gssa
> pi-canohost.patch?sortdir=down&view=log
>
> Could you backport the fixed patch to the SL5 openssh packages?
>
> Cheers,
> Jörgen Samson
--
__________________________________________________
Troy Dawson [log in to unmask] (630)840-6468
Fermilab ComputingDivision/LSCS/CSI/USS Group
__________________________________________________