On 26 November 2013 01:46, Timothy Murphy <gayleard@eircom.net> wrote:

At the moment I'm not clear what advantage keytabs have.
I do not have to login after "ssh -Y ..."
as I have appended id_rsa.pub to known_hosts in each direction.

Keytabs are like a filebased password that the machine uses to authenticate to the directory server in order to validate that the token you provide is indeed valid.

Without a proper kerberos infrastructure (keytabs on machines, PTR records in place, time consistent, etc etc) GSSAPI for SSH/HTTP/etc will not work.