Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.427 (Entity 5.427)
RT-Send-CC:
X-RT-Original-Encoding: iso-8859-1
Content-Length: 631

For reference:

* Heimdal appears to match our new behavior for gss_acquire_cred with no 
specified mechs (that is, it gets creds for all mechanisms).

* Heimdal supports the "wrong" krb5 mech OID (the one used by Microsoft) 
inside its SPNEGO implementation.  It doesn't return that OID in 
gss_indicate_mechs and it doesn't let applications use that OID.

* Heimdal doesn't appear to have any support for the "old" krb5 mech OID.

Adopting the above behavior would reduce the number of krb5 cred 
acquisition operations for a default gss_acquire_cred from 8 to 4, and 
the number of ssh userauth negotiation attempts from 4 to 2.