On 1106747709 seconds since the Beginning of the UNIX epoch
Greg Troxel wrote:
>

>An ssh client can, rather than sending a username/password to the
>sshd, send a username and a GSSAPI authenticator (or raw krb5, but krb
>culture views that as icky).  The remote sshd checks the authenticator
>against host credentials.  On should also be able to send forwarded
>tickets, and have those be cleaned up on exit.
>
>So a complete ssh implementation will need some GSSAPI code for the
>second case, although perhaps PAM calls can do some of the work.

I am talking about adding back the (icky) krb5 support.  The problem
is that the OpenSSH guys added GSSAPI support and then removed the
krb5 support 3 days later.  No Kerberos shop has a reasonable
upgrade strategy from OpenSSH 3.6.1 -> >=3.7 since they will not
interoperate (this is a little annoying, yes.)

--
    Roland Dowdeswell                      http://www.Imrryr.ORG/~elric/