Jeff Blaine wrote:
> First a question whose answer may negate the rest of the
> message:
>
> Q: Is it possible to configure OpenSSH to allow a user
> coming from host X, with a valid TGT there, to login
> without being asked for a password... without using
> SSH's public key crypto for that password-less auth?

[...]
> GSSAPIAuthentication yes
> GSSAPIKeyExchange yes
> GSSAPICleanupCredentials yes


Have you enabled GSSAPIAuthentication (and maybe
GSSAPIDelegateCredentals and PreferredAuthentications) in the client?
The former two default to "no" and the latter's default does not have
"gssapi-with-mic".

Try running the client with "ssh -vvv yourserver" and and watch to see
if it's attempting "gssapi-with-mic" authentication.

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.