diff --git a/Makefile.in b/Makefile.in

index bbc3034..c9891e0 100644

--- a/Makefile.in

+++ b/Makefile.in

@@ -87,6 +87,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \

 	atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \

 	monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \

 	kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \

+	kexgssc.o \

 	msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \

 	ssh-pkcs11.o krl.o smult_curve25519_ref.o \

 	kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \

@@ -106,7 +107,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \

 	auth2-none.o auth2-passwd.o auth2-pubkey.o \

 	monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \

 	kexc25519s.o auth-krb5.o \

-	auth2-gss.o gss-serv.o gss-serv-krb5.o \

+	auth2-gss.o gss-serv.o gss-serv-krb5.o  kexgsss.o \

 	loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \

 	sftp-server.o sftp-common.o \

 	roaming_common.o roaming_serv.o \

diff --git a/auth2-gss.c b/auth2-gss.c

index 4803e7e..222e3e0 100644

--- a/auth2-gss.c

+++ b/auth2-gss.c

@@ -31,6 +31,7 @@

 #include <sys/types.h>

 #include <stdarg.h>

+#include <string.h>

 #include "xmalloc.h"

 #include "key.h"

@@ -53,6 +53,40 @@ static void input_gssapi_mic(int type, u_int32_t plen, void *ctxt);

 static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt);

 static void input_gssapi_errtok(int, u_int32_t, void *);

+/* 

+ * The 'gssapi_keyex' userauth mechanism.

+ */

+static int

+userauth_gsskeyex(Authctxt *authctxt)

+{

+	int authenticated = 0;

+	Buffer b;

+	gss_buffer_desc mic, gssbuf;

+	u_int len;

+

+	mic.value = packet_get_string(&len;;

+	mic.length = len;

+

+	packet_check_eom();

+

+	ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service,

+	    "gssapi-keyex");

+

+	gssbuf.value = buffer_ptr(&b);

+	gssbuf.length = buffer_len(&b);

+

+	/* gss_kex_context is NULL with privsep, so we can't check it here */

+	if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gss_kex_context, 

+	    &gssbuf, &mic))))

+		authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,

+		    authctxt->pw));

+	

+	buffer_free(&b);

+	free(mic.value);

+

+	return (authenticated);

+}

+

 /*

  * We only support those mechanisms that we know about (ie ones that we know

  * how to check local user kuserok and the like)

@@ -236,7 +270,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt)

 	packet_check_eom();

-	authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));

+	authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,

+	    authctxt->pw));

 	authctxt->postponed = 0;

 	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);

@@ -278,7 +313,8 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)

 	gssbuf.length = buffer_len(&b);

 	if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))

-		authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));

+		authenticated = 

+		    PRIVSEP(ssh_gssapi_userok(authctxt->user, authctxt->pw));

 	else

 		logit("GSSAPI MIC check failed");

@@ -295,6 +331,12 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)

 	userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL);

 }

+Authmethod method_gsskeyex = {

+	"gssapi-keyex",

+	userauth_gsskeyex,

+	&options.gss_authentication

+};

+

 Authmethod method_gssapi = {

 	"gssapi-with-mic",

 	userauth_gssapi,

diff --git a/auth2.c b/auth2.c

index d6fbc93..124d02b 100644

--- a/auth2.c

+++ b/auth2.c

@@ -70,6 +70,7 @@ extern Authmethod method_passwd;

 extern Authmethod method_kbdint;

 extern Authmethod method_hostbased;

 #ifdef GSSAPI

+extern Authmethod method_gsskeyex;

 extern Authmethod method_gssapi;

 #endif

@@ -77,6 +78,7 @@ Authmethod *authmethods[] = {

 	&method_none,

 	&method_pubkey,

 #ifdef GSSAPI

+	&method_gsskeyex,

 	&method_gssapi,

 #endif

 	&method_passwd,

diff --git a/clientloop.c b/clientloop.c

index 397c965..20ce0b5 100644

--- a/clientloop.c

+++ b/clientloop.c

@@ -111,6 +111,10 @@

 #include "msg.h"

 #include "roaming.h"

+#ifdef GSSAPI

+#include "ssh-gss.h"

+#endif

+

 /* import options */

 extern Options options;

@@ -1596,6 +1600,15 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)

 		/* Do channel operations unless rekeying in progress. */

 		if (!rekeying) {

 			channel_after_select(readset, writeset);

+

+#ifdef GSSAPI

+			if (options.gss_renewal_rekey &&

+			    ssh_gssapi_credentials_updated(GSS_C_NO_CONTEXT)) {

+				debug("credentials updated - forcing rekey");

+				need_rekeying = 1;

+			}

+#endif

+

 			if (need_rekeying || packet_need_rekeying()) {

 				debug("need rekeying");

 				xxx_kex->done = 0;

diff --git a/configure.ac b/configure.ac

index 8dedb95..2c4adac 100644

--- a/configure.ac

+++ b/configure.ac

@@ -584,6 +584,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))

 	    [Use tunnel device compatibility to OpenBSD])

 	AC_DEFINE([SSH_TUN_PREPEND_AF], [1],

 	    [Prepend the address family to IP tunnel traffic])

+	AC_MSG_CHECKING(if we have the Security Authorization Session API)

+	AC_TRY_COMPILE([#include <Security/AuthSession.h>],

+		[SessionCreate(0, 0);],

+		[ac_cv_use_security_session_api="yes"

+		 AC_DEFINE(USE_SECURITY_SESSION_API, 1, 

+			[platform has the Security Authorization Session API])

+		 LIBS="$LIBS -framework Security"

+		 AC_MSG_RESULT(yes)],

+		[ac_cv_use_security_session_api="no"

+		 AC_MSG_RESULT(no)])

+	AC_MSG_CHECKING(if we have an in-memory credentials cache)

+	AC_TRY_COMPILE(

+		[#include <Kerberos/Kerberos.h>],

+		[cc_context_t c;

+		 (void) cc_initialize (&c, 0, NULL, NULL);],

+		[AC_DEFINE(USE_CCAPI, 1, 

+			[platform uses an in-memory credentials cache])

+		 LIBS="$LIBS -framework Security"

+		 AC_MSG_RESULT(yes)

+		 if test "x$ac_cv_use_security_session_api" = "xno"; then

+			AC_MSG_ERROR(*** Need a security framework to use the credentials cache API ***)

+		fi],

+		[AC_MSG_RESULT(no)]

+	)

 	m4_pattern_allow([AU_IPv])

 	AC_CHECK_DECL([AU_IPv4], [], 

 	    AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records])

diff --git a/gss-genr.c b/gss-genr.c

index b39281b..a3a2289 100644

--- a/gss-genr.c

+++ b/gss-genr.c

@@ -39,12 +39,167 @@

 #include "buffer.h"

 #include "log.h"

 #include "ssh2.h"

+#include "cipher.h"

+#include "key.h"

+#include "kex.h"

+#include <openssl/evp.h>

 #include "ssh-gss.h"

 extern u_char *session_id2;

 extern u_int session_id2_len;

+typedef struct {

+	char *encoded;

+	gss_OID oid;

+} ssh_gss_kex_mapping;

+

+/*

+ * XXX - It would be nice to find a more elegant way of handling the

+ * XXX   passing of the key exchange context to the userauth routines

+ */

+

+Gssctxt *gss_kex_context = NULL;

+

+static ssh_gss_kex_mapping *gss_enc2oid = NULL;

+

+int 

+ssh_gssapi_oid_table_ok() {

+	return (gss_enc2oid != NULL);

+}

+

+/*

+ * Return a list of the gss-group1-sha1 mechanisms supported by this program

+ *

+ * We test mechanisms to ensure that we can use them, to avoid starting

+ * a key exchange with a bad mechanism

+ */

+

+char *

+ssh_gssapi_client_mechanisms(const char *host, const char *client) {

+	gss_OID_set gss_supported;

+	OM_uint32 min_status;

+

+	if (GSS_ERROR(gss_indicate_mechs(&min_status, &gss_supported)))

+		return NULL;

+

+	return(ssh_gssapi_kex_mechs(gss_supported, ssh_gssapi_check_mechanism,

+	    host, client));

+}

+

+char *

+ssh_gssapi_kex_mechs(gss_OID_set gss_supported, ssh_gssapi_check_fn *check,

+    const char *host, const char *client) {

+	Buffer buf;

+	size_t i;

+	int oidpos, enclen;

+	char *mechs, *encoded;

+	u_char digest[EVP_MAX_MD_SIZE];

+	char deroid[2];

+	const EVP_MD *evp_md = EVP_md5();

+	EVP_MD_CTX md;

+

+	if (gss_enc2oid != NULL) {

+		for (i = 0; gss_enc2oid[i].encoded != NULL; i++)

+			free(gss_enc2oid[i].encoded);

+		free(gss_enc2oid);

+	}

+

+	gss_enc2oid = xmalloc(sizeof(ssh_gss_kex_mapping) *

+	    (gss_supported->count + 1));

+

+	buffer_init(&buf;;

+

+	oidpos = 0;

+	for (i = 0; i < gss_supported->count; i++) {

+		if (gss_supported->elements[i].length < 128 &&

+		    (*check)(NULL, &(gss_supported->elements[i]), host, client)) {

+

+			deroid[0] = SSH_GSS_OIDTYPE;

+			deroid[1] = gss_supported->elements[i].length;

+

+			EVP_DigestInit(&md, evp_md);

+			EVP_DigestUpdate(&md, deroid, 2);

+			EVP_DigestUpdate(&md,

+			    gss_supported->elements[i].elements,

+			    gss_supported->elements[i].length);

+			EVP_DigestFinal(&md, digest, NULL);

+

+			encoded = xmalloc(EVP_MD_size(evp_md) * 2);

+			enclen = __b64_ntop(digest, EVP_MD_size(evp_md),

+			    encoded, EVP_MD_size(evp_md) * 2);

+

+			if (oidpos != 0)

+				buffer_put_char(&buf, ',');

+

+			buffer_append(&buf, KEX_GSS_GEX_SHA1_ID,

+			    sizeof(KEX_GSS_GEX_SHA1_ID) - 1);

+			buffer_append(&buf, encoded, enclen);

+			buffer_put_char(&buf, ',');

+			buffer_append(&buf, KEX_GSS_GRP1_SHA1_ID, 

+			    sizeof(KEX_GSS_GRP1_SHA1_ID) - 1);

+			buffer_append(&buf, encoded, enclen);

+			buffer_put_char(&buf, ',');

+			buffer_append(&buf, KEX_GSS_GRP14_SHA1_ID,

+			    sizeof(KEX_GSS_GRP14_SHA1_ID) - 1);

+			buffer_append(&buf, encoded, enclen);

+

+			gss_enc2oid[oidpos].oid = &(gss_supported->elements[i]);

+			gss_enc2oid[oidpos].encoded = encoded;

+			oidpos++;

+		}

+	}

+	gss_enc2oid[oidpos].oid = NULL;

+	gss_enc2oid[oidpos].encoded = NULL;

+

+	buffer_put_char(&buf, '\0');

+

+	mechs = xmalloc(buffer_len(&buf));

+	buffer_get(&buf, mechs, buffer_len(&buf));

+	buffer_free(&buf;;

+

+	if (strlen(mechs) == 0) {

+		free(mechs);

+		mechs = NULL;

+	}

+	

+	return (mechs);

+}

+

+gss_OID

+ssh_gssapi_id_kex(Gssctxt *ctx, char *name, int kex_type) {

+	int i = 0;

+	

+	switch (kex_type) {

+	case KEX_GSS_GRP1_SHA1:

+		if (strlen(name) < sizeof(KEX_GSS_GRP1_SHA1_ID))

+			return GSS_C_NO_OID;

+		name += sizeof(KEX_GSS_GRP1_SHA1_ID) - 1;

+		break;

+	case KEX_GSS_GRP14_SHA1:

+		if (strlen(name) < sizeof(KEX_GSS_GRP14_SHA1_ID))

+			return GSS_C_NO_OID;

+		name += sizeof(KEX_GSS_GRP14_SHA1_ID) - 1;

+		break;

+	case KEX_GSS_GEX_SHA1:

+		if (strlen(name) < sizeof(KEX_GSS_GEX_SHA1_ID))

+			return GSS_C_NO_OID;

+		name += sizeof(KEX_GSS_GEX_SHA1_ID) - 1;

+		break;

+	default:

+		return GSS_C_NO_OID;

+	}

+

+	while (gss_enc2oid[i].encoded != NULL &&

+	    strcmp(name, gss_enc2oid[i].encoded) != 0)

+		i++;

+

+	if (gss_enc2oid[i].oid != NULL && ctx != NULL)

+		ssh_gssapi_set_oid(ctx, gss_enc2oid[i].oid);

+

+	return gss_enc2oid[i].oid;

+}

+

 /* Check that the OID in a data stream matches that in the context */

 int

 ssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len)

@@ -197,7 +352,7 @@ ssh_gssapi_init_ctx(Gssctxt *ctx, int deleg_creds, gss_buffer_desc *recv_tok,

 	}

 	ctx->major = gss_init_sec_context(&ctx->minor,

-	    GSS_C_NO_CREDENTIAL, &ctx->context, ctx->name, ctx->oid,

+	    ctx->client_creds, &ctx->context, ctx->name, ctx->oid,

 	    GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag,

 	    0, NULL, recv_tok, NULL, send_tok, flags, NULL);

@@ -227,8 +382,42 @@ ssh_gssapi_import_name(Gssctxt *ctx, const char *host)

 }

 OM_uint32

+ssh_gssapi_client_identity(Gssctxt *ctx, const char *name)

+{

+	gss_buffer_desc gssbuf;

+	gss_name_t gssname;

+	OM_uint32 status;

+	gss_OID_set oidset;

+

+	gssbuf.value = (void *) name;

+	gssbuf.length = strlen(gssbuf.value);

+

+	gss_create_empty_oid_set(&status, &oidset);

+	gss_add_oid_set_member(&status, ctx->oid, &oidset);

+

+	ctx->major = gss_import_name(&ctx->minor, &gssbuf,

+	    GSS_C_NT_USER_NAME, &gssname);

+

+	if (!ctx->major)

+		ctx->major = gss_acquire_cred(&ctx->minor, 

+		    gssname, 0, oidset, GSS_C_INITIATE, 

+		    &ctx->client_creds, NULL, NULL);

+

+	gss_release_name(&status, &gssname);

+	gss_release_oid_set(&status, &oidset);

+

+	if (ctx->major)

+		ssh_gssapi_error(ctx);

+

+	return(ctx->major);

+}

+

+OM_uint32

 ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash)

 {

+	if (ctx == NULL) 

+		return -1;

+

 	if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context,

 	    GSS_C_QOP_DEFAULT, buffer, hash)))

 		ssh_gssapi_error(ctx);

@@ -236,6 +425,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash)

 	return (ctx->major);

 }

+/* Priviledged when used by server */

+OM_uint32

+ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)

+{

+	if (ctx == NULL)

+		return -1;

+

+	ctx->major = gss_verify_mic(&ctx->minor, ctx->context,

+	    gssbuf, gssmic, NULL);

+

+	return (ctx->major);

+}

+

 void

 ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service,

     const char *context)

@@ -249,11 +451,16 @@ ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service,

 }

 int

-ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host)

+ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host, 

+    const char *client)

 {

 	gss_buffer_desc token = GSS_C_EMPTY_BUFFER;

 	OM_uint32 major, minor;

 	gss_OID_desc spnego_oid = {6, (void *)"\x2B\x06\x01\x05\x05\x02"};

+	Gssctxt *intctx = NULL;

+

+	if (ctx == NULL)

+		ctx = &intct;;

 	/* RFC 4462 says we MUST NOT do SPNEGO */

 	if (oid->length == spnego_oid.length && 

@@ -263,6 +470,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host)

 	ssh_gssapi_build_ctx(ctx);

 	ssh_gssapi_set_oid(*ctx, oid);

 	major = ssh_gssapi_import_name(*ctx, host);

+

+	if (!GSS_ERROR(major) && client)

+		major = ssh_gssapi_client_identity(*ctx, client);

+

 	if (!GSS_ERROR(major)) {

 		major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token, 

 		    NULL);

@@ -272,10 +483,66 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host)

 			    GSS_C_NO_BUFFER);

 	}

-	if (GSS_ERROR(major)) 

+	if (GSS_ERROR(major) || intctx != NULL) 

 		ssh_gssapi_delete_ctx(ctx);

 	return (!GSS_ERROR(major));

 }

+int

+ssh_gssapi_credentials_updated(Gssctxt *ctxt) {

+	static gss_name_t saved_name = GSS_C_NO_NAME;

+	static OM_uint32 saved_lifetime = 0;

+	static gss_OID saved_mech = GSS_C_NO_OID;

+	static gss_name_t name;

+	static OM_uint32 last_call = 0;

+	OM_uint32 lifetime, now, major, minor;

+	int equal;

+	

+	now = time(NULL);

+

+	if (ctxt) {

+		debug("Rekey has happened - updating saved versions");

+

+		if (saved_name != GSS_C_NO_NAME)

+			gss_release_name(&minor, &saved_name);

+

+		major = gss_inquire_cred(&minor, GSS_C_NO_CREDENTIAL,

+		    &saved_name, &saved_lifetime, NULL, NULL);

+

+		if (!GSS_ERROR(major)) {

+			saved_mech = ctxt->oid;

+		        saved_lifetime+= now;

+		} else {

+			/* Handle the error */

+		}

+		return 0;

+	}

+

+	if (now - last_call < 10)

+		return 0;

+

+	last_call = now;

+

+	if (saved_mech == GSS_C_NO_OID)

+		return 0;

+	

+	major = gss_inquire_cred(&minor, GSS_C_NO_CREDENTIAL, 

+	    &name, &lifetime, NULL, NULL);

+	if (major == GSS_S_CREDENTIALS_EXPIRED)

+		return 0;

+	else if (GSS_ERROR(major))

+		return 0;

+

+	major = gss_compare_name(&minor, saved_name, name, &equal);

+	gss_release_name(&minor, &name);

+	if (GSS_ERROR(major))

+		return 0;

+

+	if (equal && (saved_lifetime < lifetime + now - 10))

+		return 1;

+

+	return 0;

+}

+

 #endif /* GSSAPI */

diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c

index 795992d..413b845 100644

--- a/gss-serv-krb5.c

+++ b/gss-serv-krb5.c

@@ -121,7 +121,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)

 	krb5_error_code problem;

 	krb5_principal princ;

 	OM_uint32 maj_status, min_status;

-	int len;

+	const char *new_ccname, *new_cctype;

 	const char *errmsg;

 	if (client->creds == NULL) {

@@ -181,11 +181,26 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)

 		return;

 	}

-	client->store.filename = xstrdup(krb5_cc_get_name(krb_context, ccache));

+	new_cctype = krb5_cc_get_type(krb_context, ccache);

+	new_ccname = krb5_cc_get_name(krb_context, ccache);

+

 	client->store.envvar = "KRB5CCNAME";

-	len = strlen(client->store.filename) + 6;

-	client->store.envval = xmalloc(len);

-	snprintf(client->store.envval, len, "FILE:%s", client->store.filename);

+#ifdef USE_CCAPI

+	xasprintf(&client->store.envval, "API:%s", new_ccname);

+	client->store.filename = NULL;

+#else

+	if (new_ccname[0] == ':')

+		new_ccname++;

+	xasprintf(&client->store.envval, "%s:%s", new_cctype, new_ccname);

+	if (strcmp(new_cctype, "DIR") == 0) {

+		char *p;

+		p = strrchr(client->store.envval, '/');

+		if (p)

+			*p = '\0';

+	}

+	if ((strcmp(new_cctype, "FILE") == 0) || (strcmp(new_cctype, "DIR") == 0))

+		client->store.filename = xstrdup(new_ccname);

+#endif

 #ifdef USE_PAM

 	if (options.use_pam)

@@ -194,9 +209,76 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)

 	krb5_cc_close(krb_context, ccache);

+	client->store.data = krb_context;

+

 	return;

 }

+int

+ssh_gssapi_krb5_updatecreds(ssh_gssapi_ccache *store, 

+    ssh_gssapi_client *client)

+{

+	krb5_ccache ccache = NULL;

+	krb5_principal principal = NULL;

+	char *name = NULL;

+	krb5_error_code problem;

+	OM_uint32 maj_status, min_status;

+

+   	if ((problem = krb5_cc_resolve(krb_context, store->envval, &ccache))) {

+                logit("krb5_cc_resolve(): %.100s",

+                    krb5_get_err_text(krb_context, problem));

+                return 0;

+       	}

+	

+	/* Find out who the principal in this cache is */

+	if ((problem = krb5_cc_get_principal(krb_context, ccache, 

+	    &principal))) {

+		logit("krb5_cc_get_principal(): %.100s",

+		    krb5_get_err_text(krb_context, problem));

+		krb5_cc_close(krb_context, ccache);

+		return 0;

+	}

+

+	if ((problem = krb5_unparse_name(krb_context, principal, &name))) {

+		logit("krb5_unparse_name(): %.100s",

+		    krb5_get_err_text(krb_context, problem));

+		krb5_free_principal(krb_context, principal);

+		krb5_cc_close(krb_context, ccache);

+		return 0;

+	}

+

+

+	if (strcmp(name,client->exportedname.value)!=0) {

+		debug("Name in local credentials cache differs. Not storing");

+		krb5_free_principal(krb_context, principal);

+		krb5_cc_close(krb_context, ccache);

+		krb5_free_unparsed_name(krb_context, name);

+		return 0;

+	}

+	krb5_free_unparsed_name(krb_context, name);

+

+	/* Name matches, so lets get on with it! */

+

+	if ((problem = krb5_cc_initialize(krb_context, ccache, principal))) {

+		logit("krb5_cc_initialize(): %.100s",

+		    krb5_get_err_text(krb_context, problem));

+		krb5_free_principal(krb_context, principal);

+		krb5_cc_close(krb_context, ccache);

+		return 0;

+	}

+

+	krb5_free_principal(krb_context, principal);

+

+	if ((maj_status = gss_krb5_copy_ccache(&min_status, client->creds,

+	    ccache))) {

+		logit("gss_krb5_copy_ccache() failed. Sorry!");

+		krb5_cc_close(krb_context, ccache);

+		return 0;

+	}

+

+	return 1;

+}

+

 ssh_gssapi_mech gssapi_kerberos_mech = {

 	"toWM5Slw5Ew8Mqkay+al2g==",

 	"Kerberos",

@@ -204,7 +286,8 @@ ssh_gssapi_mech gssapi_kerberos_mech = {

 	NULL,

 	&ssh_gssapi_krb5_userok,

 	NULL,

-	&ssh_gssapi_krb5_storecreds

+	&ssh_gssapi_krb5_storecreds,

+	&ssh_gssapi_krb5_updatecreds

 };

 #endif /* KRB5 */

diff --git a/gss-serv.c b/gss-serv.c

index 5c59924..2289e8e 100644

--- a/gss-serv.c

+++ b/gss-serv.c

@@ -45,15 +45,20 @@

 #include "channels.h"

 #include "session.h"

 #include "misc.h"

+#include "servconf.h"

+#include "uidswap.h"

 #include "ssh-gss.h"

+#include "monitor_wrap.h"

+

+extern ServerOptions options;

 static ssh_gssapi_client gssapi_client =

     { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,

-    GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL, NULL}};

+    GSS_C_NO_CREDENTIAL, GSS_C_NO_NAME,  NULL, {NULL, NULL, NULL}, 0, 0};

 ssh_gssapi_mech gssapi_null_mech =

-    { NULL, NULL, {0, NULL}, NULL, NULL, NULL, NULL};

+    { NULL, NULL, {0, NULL}, NULL, NULL, NULL, NULL, NULL};

 #ifdef KRB5

 extern ssh_gssapi_mech gssapi_kerberos_mech;

@@ -100,25 +105,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx)

 	char lname[NI_MAXHOST];

 	gss_OID_set oidset;

-	gss_create_empty_oid_set(&status, &oidset);

-	gss_add_oid_set_member(&status, ctx->oid, &oidset);

+	if (options.gss_strict_acceptor) {

+		gss_create_empty_oid_set(&status, &oidset);

+		gss_add_oid_set_member(&status, ctx->oid, &oidset);

-	if (gethostname(lname, sizeof(lname))) {

-		gss_release_oid_set(&status, &oidset);

-		return (-1);

-	}

+		if (gethostname(lname, sizeof(lname))) {

+			gss_release_oid_set(&status, &oidset);

+			return (-1);

+		}

+	

+		if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {

+			gss_release_oid_set(&status, &oidset);

+			return (ctx->major);

+		}

+	

+		if ((ctx->major = gss_acquire_cred(&ctx->minor,

+		    ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL)))

+			ssh_gssapi_error(ctx);

-	if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {

 		gss_release_oid_set(&status, &oidset);

 		return (ctx->major);

-	}

-

-	if ((ctx->major = gss_acquire_cred(&ctx->minor,

-	    ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL)))

-		ssh_gssapi_error(ctx);

+	} else {

+		ctx->name = GSS_C_NO_NAME;

+		ctx->creds = GSS_C_NO_CREDENTIAL;

+		return GSS_S_COMPLETE;

+ 	}

-	gss_release_oid_set(&status, &oidset);

-	return (ctx->major);

 }

 /* Privileged */

@@ -133,6 +145,29 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid)

 }

 /* Unprivileged */

+char *

+ssh_gssapi_server_mechanisms() {

+	gss_OID_set	supported;

+

+	ssh_gssapi_supported_oids(&supported);

+	return (ssh_gssapi_kex_mechs(supported, &ssh_gssapi_server_check_mech,

+	    NULL, NULL));

+}

+

+/* Unprivileged */

+int

+ssh_gssapi_server_check_mech(Gssctxt **dum, gss_OID oid, const char *data,

+    const char *dummy) {

+	Gssctxt *ctx = NULL;

+	int res;

+ 

+	res = !GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctx, oid)));

+	ssh_gssapi_delete_ctx(&ctx;;

+

+	return (res);

+}

+

+/* Unprivileged */

 void

 ssh_gssapi_supported_oids(gss_OID_set *oidset)

 {

@@ -142,7 +177,9 @@ ssh_gssapi_supported_oids(gss_OID_set *oidset)

 	gss_OID_set supported;

 	gss_create_empty_oid_set(&min_status, oidset);

-	gss_indicate_mechs(&min_status, &supported);

+

+	if (GSS_ERROR(gss_indicate_mechs(&min_status, &supported)))

+		return;

 	while (supported_mechs[i]->name != NULL) {

 		if (GSS_ERROR(gss_test_oid_set_member(&min_status,

@@ -268,8 +305,48 @@ OM_uint32

 ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)

 {

 	int i = 0;

+	int equal = 0;

+	gss_name_t new_name = GSS_C_NO_NAME;

+	gss_buffer_desc ename = GSS_C_EMPTY_BUFFER;

+

+	if (options.gss_store_rekey && client->used && ctx->client_creds) {

+		if (client->mech->oid.length != ctx->oid->length ||

+		    (memcmp(client->mech->oid.elements,

+		     ctx->oid->elements, ctx->oid->length) !=0)) {

+			debug("Rekeyed credentials have different mechanism");

+			return GSS_S_COMPLETE;

+		}

+

+		if ((ctx->major = gss_inquire_cred_by_mech(&ctx->minor, 

+		    ctx->client_creds, ctx->oid, &new_name, 

+		    NULL, NULL, NULL))) {

+			ssh_gssapi_error(ctx);

+			return (ctx->major);

+		}

+

+		ctx->major = gss_compare_name(&ctx->minor, client->name, 

+		    new_name, &equal);

+

+		if (GSS_ERROR(ctx->major)) {

+			ssh_gssapi_error(ctx);

+			return (ctx->major);

+		}

+ 

+		if (!equal) {

+			debug("Rekeyed credentials have different name");

+			return GSS_S_COMPLETE;

+		}

+

+		debug("Marking rekeyed credentials for export");

-	gss_buffer_desc ename;

+		gss_release_name(&ctx->minor, &client->name);

+		gss_release_cred(&ctx->minor, &client->creds);

+		client->name = new_name;

+		client->creds = ctx->client_creds;

+        	ctx->client_creds = GSS_C_NO_CREDENTIAL;

+		client->updated = 1;

+		return GSS_S_COMPLETE;

+	}

 	client->mech = NULL;

@@ -284,6 +361,13 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)

 	if (client->mech == NULL)

 		return GSS_S_FAILURE;

+	if (ctx->client_creds &&

+	    (ctx->major = gss_inquire_cred_by_mech(&ctx->minor,

+	     ctx->client_creds, ctx->oid, &client->name, NULL, NULL, NULL))) {

+		ssh_gssapi_error(ctx);

+		return (ctx->major);

+	}

+

 	if ((ctx->major = gss_display_name(&ctx->minor, ctx->client,

 	    &client->displayname, NULL))) {

 		ssh_gssapi_error(ctx);

@@ -301,6 +385,8 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)

 		return (ctx->major);

 	}

+	gss_release_buffer(&ctx->minor, &ename);

+

 	/* We can't copy this structure, so we just move the pointer to it */

 	client->creds = ctx->client_creds;

 	ctx->client_creds = GSS_C_NO_CREDENTIAL;

@@ -311,11 +397,20 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)

 void

 ssh_gssapi_cleanup_creds(void)

 {

-	if (gssapi_client.store.filename != NULL) {

-		/* Unlink probably isn't sufficient */

-		debug("removing gssapi cred file\"%s\"",

-		    gssapi_client.store.filename);

-		unlink(gssapi_client.store.filename);

+	krb5_ccache ccache = NULL;

+	krb5_error_code problem;

+

+	if (gssapi_client.store.data != NULL) {

+		if ((problem = krb5_cc_resolve(gssapi_client.store.data, gssapi_client.store.envval, &ccache))) {

+			debug("%s: krb5_cc_resolve(): %.100s", __func__,

+				krb5_get_err_text(gssapi_client.store.data, problem));

+		} else if ((problem = krb5_cc_destroy(gssapi_client.store.data, ccache))) {

+			debug("%s: krb5_cc_resolve(): %.100s", __func__,

+				krb5_get_err_text(gssapi_client.store.data, problem));

+		} else {

+			krb5_free_context(gssapi_client.store.data);

+			gssapi_client.store.data = NULL;

+		}

 	}

 }