kerberos5 authentication of ssh connections

[Illia Baidakov]

Hello freebsd-security!

What is the best way to authenticate remote ssh users transparantly
without typing the kinit and kdestroy commands?

Using pam_krb5 works satisfactorily for local logins but makes it
crooked for remote ssh ones. The comp.protocols.kerberos and
comp.security.ssh newsgroups and the pam-krb5-users maillist confirm this
assertion.

As far as I understood that using kerberized login.krb5 tool implys
removing (or hiding) native login program and substituting it by the
login.krb5, say as symbolic link, isn't it?

The possibility of selecting one of two or more authentication methods
as in case of pam may be useful say if I need to pass users to
exploiting kerberized applications gradually, and even more that when
I suffering problems with my KDCs or network connections.

IMHO using pam_krb5 for kerberized login is some superfluous.

-- 
Thanks in advance Illia Baidakov.