When I did it for SunSSH I was kinda new at standardization and in a hurry, so I did add a gss userok function to the mechglue, but as a private function (__gss_userok()). I was amused just now when i noticed that some open source projects outside Solaris (e.g., dovecot) use it -- proof that it is useful in the mechglue, I suppose! :)

OK, in the users/lhoward/moonshot-mechglue-fixes branch of MIT Kerberos you will find resurrected gss_pname_to_uid() and gss_userok() implementations.

I also made some changes to OpenSSH to use gss_userok() and gss_store_cred(), thereby removing all mechanism-specific code from the acceptor side. This has been tested with the GSS EAP mechanism.

-- Luke