Hello all.

First a question whose answer may negate the rest of the

Q: Is it possible to configure OpenSSH to allow a user
coming from host X, with a valid TGT there, to login
without being asked for a password... without using
SSH's public key crypto for that password-less auth?

That is, I want OpenSSH authentication to be based on
the presence of a valid Kerberos 5 TGT incoming. This
can be seen in action when using MIT Kerberos' telnet
-a -F and telnetd.

Assuming the answer to that is, "Yes, that is reasonable
and doable.", I am having one hell of a time getting it
to happen.

I have:

0. A Kerberos 5 realm up and working fine. It is a
single testbed machine acting as KDC, application
server, and client host to itself.

1. OpenSSH 4.3p2 built successfully

2. sshd from above functioning generally fine

3. sshd_config with (varies...):

LoginGraceTime 1m
PermitRootLogin no
StrictModes yes
MaxAuthTries 6
RSAAuthentication no
PubkeyAuthentication no
AuthorizedKeysFile .ssh/authorized_keys
RhostsRSAAuthentication no
HostbasedAuthentication no
IgnoreUserKnownHosts no
IgnoreRhosts yes
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
KerberosAuthentication yes
KerberosOrLocalPasswd yes
KerberosTicketCleanup yes
GSSAPIAuthentication yes
GSSAPIKeyExchange yes
GSSAPICleanupCredentials yes
UsePrivilegeSeparation yes
Subsystem sftp /export/home/libexec/sftp-server

4. A *recompiled* sshd which includes many calls to
debug() in auth-krb5.c (it comes with ~1 debug() call

5. sshd -d shows *zero* sign of *my* debug() calls being made
after very necessary and simple krb5 init calls, but I do
see "debug1: krb5_cleanup_proc called" when I exit my
successful shell (requires password...).

6. The only way I can get *any* form of connection right
now with sshd is to set PasswordAuthentication to 'yes'
(it says no above from when I was testing). This at
least asks me for a password, lets me in, and sets me
up with my TGT in the new shell.

7. I have tried all manner of sshd_config options I can
think of that make any sense to me.