There rpm's are RedHat's rpm's, recompiled with the keberos gssapi patch installed. This makes them comptible with Fermi's kerberized openssh. openssh-3.6.1p2-33.30.1gss.i386.rpm openssh-askpass-3.6.1p2-33.30.1gss.i386.rpm openssh-askpass-gnome-3.6.1p2-33.30.1gss.i386.rpm openssh-clients-3.6.1p2-33.30.1gss.i386.rpm openssh-debuginfo-3.6.1p2-33.30.1gss.i386.rpm openssh-server-3.6.1p2-33.30.1gss.i386.rpm No extra configuration is needed if you are only using the openssh-client. openssh-server If you are planning on using the above openssh-server in kerberized mode then you will need to 1) edit your /etc/ssh/sshd_config, 2) create a /etc/krb5.keytab, 3) run authconfig and select kerberos 4) edit /etc/pam.d/system-auth after running authconfig --- 1) The following settings in /etc/ssh/sshd_config will allow only kerberized incomming sessions ---------------- RSAAuthentication no PubkeyAuthentication no PasswordAuthentication no KerberosAuthentication yes KerberosOrLocalPasswd no KerberosTicketCleanup yes KerberosTgtPassing yes X11Forwarding yes UsePrivilegeSeparation no Subsystem sftp /usr/local/libexec/sftp-server GssapiAuthentication yes GssapiKeyExchange yes GssapiUseSessionCredcache yes GssapiCleanupCreds yes ------------------ --- 2) Follow your sites instructions for creating a krb5.keytab --- 3) Pretty self explanitory. run /usr/sbin/authconfig and on the second screen you select kerberos. --- 4) After you run authconfig and setup things for kerberos, you are going to find a line in /etc/pam.d/system-auth that looks like account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/$ISA/pam_krb5afs.so You need to delete the whole line. This is an extra line of security beyond the authentication. This extra authentication can cause false negatives and lock people out of accounts when they have valid credentials. It has been analyzed at Fermilab and ruled that this extra authentication is not needed. ----------- These rpm's were provided by Fermilab.