Thanks Sam and Scott for the consideration/discussion of this patch. Here's an updated patch that adds a GSSAPIRequireMIC sshd_config option to enable the "site policy decision for the server whether or not to permit authentication using GSS-API mechanisms and/or contexts that do not support per-message integrity protection." The default is "yes" to require integrity protection, and our mech_saml_ec implementation currently requires this option to be set to "no". -Jim