On Sat, 2005-07-16 at 03:53, Robert D. Kennedy wrote: .. > And that is my experience... clients of one do not authenticate with > servers of the other. Gssapi and gssapi-with-mic are wholely > incompatible. I have been holding back, or recommending holding back, > machines to the older ssh with gssapi, but am starting to get nervous. > Since SL4 ships with the gssapi-with-mic openssh, and I would dearly > like to upgrade to it without losing kerberos authentication in ssh > (want that ssh tunnel to support X11 through a NAT), is there something > I am overlooking? Do we have only a choice between burning "access" > bridges by upgrading to openssh 3.9 or retain an old and possibly > insecure version of openssh on an otherwise upgraded OS? This seems like > a big issue for a largely kerberos-oriented site (such as Fermilab)... > yet I have not heard anything or googled anything substantial on the topic. I believe that some openssh-3.9 version (sorry, lost the matching .spec file) from Red Hat actually carried both "gssapi" and "gssapi-with-mic" patches for some time to ease the transition. Original "transition" patch available from http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=107826289602763&w=2 CERN runs its own version of Openssh since <forever>. That version is still mostly based around Kerberos4 (since we only recently moved the AFS "KDC" to Kerberos5), so luckily we don't have a large Kerberos5 userbase. So "gssapi-with-mic" isn't so much of an issue for us... (as long as Kerberos4 auth works, which is a different can of worms). Regards jan