ssh + kerberos: problems w/ -current to openbsd 4.2 KDC

[Jacob Yocom-Piatt]

have most of the machines here doing ssh authentication via kerberos 
against a heimdal KDC running openbsd 4.2-release. the freebsd 7.0beta4 
host i recently installed will not allow machines to ssh into it using 
kerberos credentials but it (freebsd host) does successfully get and use 
tickets from the KDC when

[gssapi]
    correct_des3_mic = host/*@MYDOMAIN.COM

is added to /etc/krb5.conf.

nothing notable shows up in the KDC logs and the following appears in 
/var/log/auth.log on the freebsd host:

Dec 31 12:46:48 databank1 sshd[24658]: error: ssh_msg_send: write
Dec 31 12:50:14 databank1 sshd[24690]: error: ssh_msg_send: write

the changes made on the freebsd host to accommodate kerberos 
authentication were in /etc/ssh/sshd_config and /etc/pam.d/sshd, 
respectively:

KerberosAuthentication yes
KerberosOrLocalPasswd yes
KerberosTicketCleanup yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

auth            sufficient      pam_krb5.so             no_warn 
try_first_pass
account         required        pam_krb5.so
password        sufficient      pam_krb5.so             no_warn 
try_first_pass

where the lines in /etc/pam.d/sshd were simply uncommented and in the 
original order. debugging outputs from a client trying to ssh into the 
freebsd host are not very enlightening:

...
debug1: Authentications that can continue: 
publickey,gssapi-with-mic,keyboard-interactive
debug1: Next authentication method: gssapi-with-mic
debug1: Delegating credentials
debug1: Authentications that can continue: 
publickey,gssapi-with-mic,keyboard-interactive
debug1: Next authentication method: publickey
...

any clues as to what needs to be done to get this to work correctly 
would be appreciated.

cheers,
jake

--