>> One of the most annoying things about GSSAPI for SSHv2 is the occasional
>> rekeying that the SSHv2 transport does.  What happens is that the user's
>> ticket eventually expires during the login session, a rekey is attempted,
>> and the session is killed because the rekey failed due to expired ticket.
>> Now, while this may be strictly correct ("of course the session should
>> die once the ticket expires!"), it is different from every other login
>> mechanism that uses Kerberos that I am aware of.
>> 
>I'm jumping in here, late, and with no regard to any message that may
>have followed this.  Wouldn't this particular problem be resolved by
>following the DHCP lease renewal rules: apply for a new lease half way
>to expiry?

Sadly, no.  The issue is that ones _Kerberos_ tickets are going to expire,
not the SSH rekey.  And there's not an easy way to reprompt for those
when using the GSSAPI.

--Ken