On 10/31/2014 01:52 PM, Benjamin Kaduk wrote: > gssapi-keyex is not a way for the client to authenticate to the server; it > replaces the normal key exchange step that uses the server's > ssh_host_{ecdsa,rsa,dsa}_keys.
If memory serves, the gssapi-keyex key exchange actually authenticates both parties to each other. Once you have completed that, you gain access to the gssapi-keyex userauth method, which does basically nothing as the user is already authenticated (much like SASL EXTERNAL). The client could still use a different userauth method to authenticate as someone else, but it generally prefers gssapi-keyex. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos