Hi, there is a bug in SL5's openssh client which is introduced by RetHat's
openssh-4.3p2-gssapi-canohost.patch, if you use Kerberos5 authentication in conjunction with the "ProxyCommand" option. To verify the bug run ssh -v -o "ProxyCommand nc %h %p" -o "PasswordAuthentication no" -o "PubkeyAuthentication no" -o "GSSAPIAuthentication yes" $HOST "echo work s" on a host which allows login with a Kerberos5 ticket. On SL5 openssh fails with [...] debug1: Next authentication method: gssapi-with-mic debug1: An invalid name was supplied Hostname cannot be canonicalized [...] With a vanilla build of openssh this command succeeds. The fedora project already uses a fixed version of th openssh-4.3p2-gssapi-canohost.path http://cvs.fedoraproject.org/viewvc/rpms/openssh/devel/openssh-4.3p2-gssa pi-canohost.patch?sortdir=down&view=log Could you backport the fixed patch to the SL5 openssh packages? Cheers, Jörgen Samson
