From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.3) Gecko/20040930 Description of problem: The openssh that comes in RHEL4 Beta1 can do gssapi kerberose authentication, between other RHEL4 Beta1 systems. But it cannot do this authentication with older versions of openssh that have the gssapi patch in it. Such as the openssh that comes with RHEL 3 that has been recompiled with gss in the name (so that it automatically sucks in the gssapi patch). It appears this is because the new openssh (openssh-3.9p1-3) is using a different gssapi protocol or name than the older openssh (openssh-3.6.1p2-33.30.1gss). In a test having 4 machines. 2 setup and kerberized with the new openssh, and 2 setup and kerberized with the old ssh. The machines with the new openssh can log into each other, and the machines with the old openssh can log into each other, but they can't go from old to new, or new to old. Here is part of the error when going from old to new 5777: Permission denied (gssapi-with-mic,keyboard-interactive). Here is part of the errror when going from new to old Permission denied (external-keyx,gssapi,keyboard-interactive). It appears that the new gssapi protocol is gssapi-with-mic and it appears to not be compatible with the old gssapi. Version-Release number of selected component (if applicable): openssh-3.9p1-3 How reproducible: Always Steps to Reproduce: 1.kerberize 4 machines. 2 have the new openssh-3.6.1p2-33.30.1gss, and 2 with the old openssh-3.6.1p2-33.30.1gss. 2.Verify that the new openssh machines can log into each other. 3.Verify that the old openssh machines can log into each other. 4. Try to log into a new openssh machine from an old openssh machine - you cannot do it via kerberos. 5. Try to log into a old openssh machine from a new openssh machine - you cannot do it via kerberos. Actual Results: Here is part of the error when going from old to new 5777: Permission denied (gssapi-with-mic,keyboard-interactive). Here is part of the errror when going from new to old Permission denied (external-keyx,gssapi,keyboard-interactive). Expected Results: You should be able to log in using kerberos from ssh to ssh. Additional info:
Correct, the protocol changed (that's why the patch wasn't included before; the protocol wasn't standardized.)
Is there anything I can do for my RHEL 3 admin's that are using the older patched openssh? Is there any hope for a patch that will support both gssapi protocol's? I know I can always just say "you will move to the new openssh" but even then there is going to be some time during transitions when the two types of machines just won't talk together via ssh.
There are currently no plans for such patch.
OK, thank you for the response. I've found a couple different places for the patches, so I should be fine.