Sam Hartman hartmans at MIT.EDU
Thu Jun 13 00:16:43 EDT 2002

I don't really have time for another round of extended OpenSSH
debugging but I can at least give you success criteria for what you
should expect when you have succeeded: * For protocol version 1, two
implementations both with Kerberos support  can authenticate without a
password.  IN some cases you will be able to forward tickets.

* With ssh version 2, using sxw's patches, you can authenticate using
  GSSAPI key exchange and forward your tickets without a password.
  You will not need to maintain an ssh known_hosts file; you should
  not be asked about adding the host to this file when you first

* If you use a client that does not understand Kerberos, the server
   should optionally accept a Kerberos password, authenticating it
   through PAM or native Kerberos password support and getting you a

These three environments work completely differently and should be
debugged separately.

More information about the Kerberos mailing list