diff -u -r -N --exclude configure --exclude config.h.in src.old/Makefile.in src/Makefile.in
--- src.old/Makefile.in	Fri Aug 22 14:13:31 2003
+++ src/Makefile.in	Fri Aug 22 14:13:22 2003
@@ -68,7 +68,7 @@
 	key.o dispatch.o kex.o mac.o uuencode.o misc.o \
 	rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o kexgex.o \
 	kexdhc.o kexgexc.o scard.o msg.o progressmeter.o dns.o \
-	entropy.o scard-opensc.o 
+	entropy.o scard-opensc.o gss-genr.o
 
 SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
 	sshconnect.o sshconnect1.o sshconnect2.o
@@ -82,6 +82,7 @@
 	monitor_mm.o monitor.o monitor_wrap.o monitor_fdpass.o \
 	kexdhs.o kexgexs.o \
 	auth-krb5.o auth2-krb5.o \
+	auth2-gss.o gss-serv.o gss-serv-krb5.o \
 	loginrec.o auth-pam.o auth-sia.o md5crypt.o
 
 MANPAGES	= scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out
diff -u -r -N --exclude configure --exclude config.h.in src.old/acconfig.h src/acconfig.h
--- src.old/acconfig.h	Fri Aug 22 14:13:28 2003
+++ src/acconfig.h	Fri Aug 22 14:13:19 2003
@@ -232,6 +232,9 @@
 /* Define if compiler implements __func__ */
 #undef HAVE___func__
 
+/* Define this is you want GSSAPI support in the version 2 protocol */
+#undef GSSAPI
+
 /* Define if you want Kerberos 5 support */
 #undef KRB5
 
diff -u -r -N --exclude configure --exclude config.h.in src.old/configure.ac src/configure.ac
--- src.old/configure.ac	Fri Aug 22 14:13:30 2003
+++ src/configure.ac	Fri Aug 22 14:13:21 2003
@@ -820,6 +820,7 @@
 			AC_CHECK_LIB(dl, dlopen, , )
 			AC_CHECK_LIB(pam, pam_set_item, , AC_MSG_ERROR([*** libpam missing]))
 			AC_CHECK_FUNCS(pam_getenvlist)
+			AC_CHECK_FUNCS(pam_putenv)
 
 			disable_shadow=yes
 			PAM_MSG="yes"
@@ -1934,6 +1935,31 @@
                                 blibpath="$blibpath:${KRB5ROOT}/lib"
                         fi
 			AC_SEARCH_LIBS(dn_expand, resolv)
+
+			AC_CHECK_LIB(gssapi,gss_init_sec_context,
+				[ AC_DEFINE(GSSAPI)
+				  K5LIBS="-lgssapi $K5LIBS" ],
+				[ AC_CHECK_LIB(gssapi_krb5,gss_init_sec_context,
+					[ AC_DEFINE(GSSAPI)
+				  	  K5LIBS="-lgssapi_krb5 $K5LIBS" ],
+					AC_MSG_WARN([Cannot find any suitable gss-api library - build may fail]),
+					$K5LIBS)
+				],
+				$K5LIBS)
+			
+			AC_CHECK_HEADER(gssapi.h, ,
+				[ unset ac_cv_header_gssapi_h
+				  CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi" 
+				  AC_CHECK_HEADERS(gssapi.h, ,
+					AC_MSG_WARN([Cannot find any suitable gss-api header - build may fail])
+				  ) 
+				]
+			)
+
+			oldCPP="$CPPFLAGS"
+			CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi"
+			AC_CHECK_HEADER(gssapi_krb5.h, ,
+					[ CPPFLAGS="$oldCPP" ])
 
                         KRB5=yes
                 fi
diff -u -r -N --exclude configure --exclude config.h.in src.old/gss-serv-krb5.c src/gss-serv-krb5.c
--- src.old/gss-serv-krb5.c	Fri Aug 22 14:13:31 2003
+++ src/gss-serv-krb5.c	Fri Aug 22 14:13:21 2003
@@ -113,11 +113,38 @@
 	if (ssh_gssapi_krb5_init() == 0)
 		return;
 
+#ifdef HEIMDAL
 	if ((problem = krb5_cc_gen_new(krb_context, &krb5_fcc_ops, &ccache))) {
 		logit("krb5_cc_gen_new(): %.100s",
 		    krb5_get_err_text(krb_context, problem));
 		return;
 	}
+#else
+{
+	int tmpfd;
+	char ccname[40];
+    
+	snprintf(ccname,sizeof(ccname),"FILE:/tmp/krb5cc_%d_XXXXXX",geteuid());
+    
+	if ((tmpfd = mkstemp(ccname+strlen("FILE:")))==-1) {
+		logit("mkstemp(): %.100s", strerror(errno));
+		problem = errno;
+		return;
+	}
+	if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
+		logit("fchmod(): %.100s", strerror(errno));
+		close(tmpfd);
+		problem = errno;
+		return;
+	}
+	close(tmpfd);
+	if ((problem = krb5_cc_resolve(krb_context, ccname, &ccache))) {
+		logit("krb5_cc_resolve(): %.100s",
+		    krb5_get_err_text(krb_context, problem));
+		return;
+	}
+}
+#endif	/* #ifdef HEIMDAL */
 
 	if ((problem = krb5_parse_name(krb_context, 
 	    client->exportedname.value, &princ))) {
diff -u -r -N --exclude configure --exclude config.h.in src.old/makegssname.pl src/makegssname.pl
--- src.old/makegssname.pl	Wed Dec 31 18:00:00 1969
+++ src/makegssname.pl	Fri Aug 22 14:13:22 2003
@@ -0,0 +1,50 @@
+#!/usr/bin/perl
+
+use Convert::ASN1 qw(:tag);
+use Digest::MD5 qw(md5);
+use MIME::Base64;
+use Data::Dumper;
+ 
+$oid=shift;
+my $asn=Convert::ASN1->new;
+$asn->prepare("oid OBJECT IDENTIFIER");
+$encoded=$asn->encode(oid => $oid);
+Convert::ASN1::asn_dump($encoded);
+print Dumper($asn->decode($encoded));
+
+@entries=unpack("C*",$encoded);
+
+print "DER representation: ";
+foreach $entry (@entries) {
+  print "\\x";
+  printf "%02X",$entry;
+}
+print "\n";
+
+$digest = md5($encoded);
+# We only want the first 10 characters;
+# Conversations with the authors suggest that we want to use all of the
+# characters of the digest.
+#$digest = substr($digest,0,10);
+print "gsskeyex representation: ",encode_base64($digest),"\n";
+
+sub encode_object_id {
+  $string="";
+
+  my @data = ($_[0] =~ /(\d+)/g);
+
+  if(@data < 2) {
+      @data = (0);
+  }
+  else {
+      my $first = $data[1] + ($data[0] * 40);
+      splice(@data,0,2,$first);
+  }
+
+#  my $l = length $string;
+  $string .= pack("cw*", 0, @data);
+#  substr($string,$l,1) = asn_encode_length(length($string) - $l - 1);
+  return $string;
+}
+
+
diff -u -r -N --exclude configure --exclude config.h.in src.old/session.c src/session.c
--- src.old/session.c	Fri Aug 22 14:13:34 2003
+++ src/session.c	Fri Aug 22 14:13:25 2003
@@ -418,6 +418,12 @@
 
 	session_proctitle(s);
 
+#ifdef GSSAPI
+	temporarily_use_uid(s->pw);
+	ssh_gssapi_storecreds();
+	restore_uid();
+#endif
+
 #if defined(USE_PAM)
 	if (options.use_pam) {
 		do_pam_session(s->pw->pw_name, NULL);
@@ -428,12 +434,6 @@
 	}
 #endif /* USE_PAM */
 
-#ifdef GSSAPI
-	temporarily_use_uid(s->pw);
-	ssh_gssapi_storecreds();
-	restore_uid();
-#endif
-
 	/* Fork the child. */
 	if ((pid = fork()) == 0) {
 		fatal_remove_all_cleanups();
@@ -553,17 +553,17 @@
 	ptyfd = s->ptyfd;
 	ttyfd = s->ttyfd;
 
+#ifdef GSSAPI
+	temporarily_use_uid(s->pw);
+	ssh_gssapi_storecreds();
+	restore_uid();
+#endif
+
 #if defined(USE_PAM)
 	if (options.use_pam) {
 		do_pam_session(s->pw->pw_name, s->tty);
 		do_pam_setcred(1);
 	}
-#endif
-
-#ifdef GSSAPI
-	temporarily_use_uid(s->pw);
-	ssh_gssapi_storecreds();
-	restore_uid();
 #endif
 
 	/* Fork the child. */
diff -u -r -N --exclude configure --exclude config.h.in src.old/ssh-gss.h src/ssh-gss.h
--- src.old/ssh-gss.h	Fri Aug 22 14:13:35 2003
+++ src/ssh-gss.h	Fri Aug 22 14:13:26 2003
@@ -31,6 +31,18 @@
 
 #include <gssapi.h>
 
+#ifdef KRB5
+#ifndef HEIMDAL
+#include <gssapi_generic.h>
+
+/* MIT Kerberos doesn't seem to define GSS_NT_HOSTBASED_SERVICE */
+/* It seems to be defined in gssapi_krb5.h -dtucker */
+#ifndef GSS_C_NT_HOSTBASED_SERVICE
+#define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name
+#endif /* GSS_C_NT_... */
+#endif /* !HEIMDAL */
+#endif /* KRB5 */
+
 /* draft-ietf-secsh-gsskeyex-06 */
 #define SSH2_MSG_USERAUTH_GSSAPI_RESPONSE		60
 #define SSH2_MSG_USERAUTH_GSSAPI_TOKEN			61