> The client should be capable of using any GSSAPI mechanism that you throw of it. In fact, if your library is ABI compatible, you should just be able to change the linker path under an existing binary.
Yes, I didn't require any client changes.
> This is a real pain - its what's led some vendors to disable GSSAPI support out of the box when they ship OpenSSH. However, it's very hard to avoid - how else do you determine what mechanisms you should be offering to the peer? It's even more of an issue with key exchange, where you only get one chance to get it right - you can't perform any form of mechanism fallback once negotiation is complete.
It might work to see which mechanisms you can acquire credentials for.
-- Luke
|