> But that's not happening. Is there any way to tell SSH *not* to use
> Kerberos, but to attempt GSSAPI authentication with other mechanisms? If
> so, how do you do this?
From what I can tell, openSSH queries the GSS libraries for what mechanisms exist in the system, and offers to use any in the list. I don't think that openSSH provides you any control over which mechanism is selected.
> Or is this not possible at all and you're at the
> mercy of GSSAPI deciding which mechanism it's going to use?
The MIT GSSAPI implementation will load its mechanisms using the files in /etc/gss/mech.d/*.conf. It looks like it loads them in sorted order from that directory, so I suspect that it would work to rename moonshot.conf to aaa_moonshot.conf, or the like.
--Mark
|