Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.427 (Entity 5.427) RT-Send-CC: X-RT-Original-Encoding: iso-8859-1 Content-Length: 420 If you don't carefully manage your KRB5CCNAME, there is the potential that gss_acquire_cred_with_password() might succeed without making an AS request, and the creds you have might verify correctly even though the password was never used. I guess that's not "completely broken" as it's possible to work around, but it's dangerous, and it requires mechanism-specific application knowledge or configuration to avoid.