The basic idea is to define a new userauth method, which for the sake of this discussion we'll call "gssapi-mic" (I know Joseph Galbraith just used this name to describe something else, but I chose it first, so too
I surrender the name to you :-)
bad). The new method would consist of a single request message, containing the usual method-independent fields and a MIC resulting from gss_getmic:byte SSH_MSG_USERAUTH_REQUEST string user name string service string "gssapi-mic" string context-id string MIC
I think this is a better proposal than mine. I like this-- I think it maintains the backward combatibility I need and fills the hole that Love pointed out quite nicely. - Joseph