Kerberos 5 authentication without password?

[Jeff Blaine]

Hello all.

First a question whose answer may negate the rest of the
message:

Q: Is it possible to configure OpenSSH to allow a user
   coming from host X, with a valid TGT there, to login
   without being asked for a password... without using
   SSH's public key crypto for that password-less auth?

That is, I want OpenSSH authentication to be based on
the presence of a valid Kerberos 5 TGT incoming.  This
can be seen in action when using MIT Kerberos' telnet
-a -F and telnetd.

Assuming the answer to that is, "Yes, that is reasonable
and doable.", I am having one hell of a time getting it
to happen.

I have:

0.  A Kerberos 5 realm up and working fine.  It is a
    single testbed machine acting as KDC, application
    server, and client host to itself.

1.  OpenSSH 4.3p2 built successfully
        --with-ssl-dir=/export/home
        --with-kerberos5=/export/home/krb5
        --with-pam

2.  sshd from above functioning generally fine

3.  sshd_config with (varies...):

        LoginGraceTime 1m
        PermitRootLogin no
        StrictModes yes
        MaxAuthTries 6
        RSAAuthentication no
        PubkeyAuthentication no
        AuthorizedKeysFile      .ssh/authorized_keys
        RhostsRSAAuthentication no
        HostbasedAuthentication no
        IgnoreUserKnownHosts no
        IgnoreRhosts yes
        PasswordAuthentication no
        PermitEmptyPasswords no
        ChallengeResponseAuthentication no
        KerberosAuthentication yes
        KerberosOrLocalPasswd yes
        KerberosTicketCleanup yes
        GSSAPIAuthentication yes
        GSSAPIKeyExchange yes
        GSSAPICleanupCredentials yes
        UsePrivilegeSeparation yes
        Subsystem       sftp    /export/home/libexec/sftp-server

4.  A *recompiled* sshd which includes many calls to
    debug() in auth-krb5.c (it comes with ~1 debug() call
    as-is).

5.  sshd -d shows *zero* sign of *my* debug() calls being made
    after very necessary and simple krb5 init calls, but I do
    see "debug1: krb5_cleanup_proc called" when I exit my
    successful shell (requires password...).

6.  The only way I can get *any* form of connection right
    now with sshd is to set PasswordAuthentication to 'yes'
    (it says no above from when I was testing).  This at
    least asks me for a password, lets me in, and sets me
    up with my TGT in the new shell.

7.  I have tried all manner of sshd_config options I can
    think of that make any sense to me.