Does kio_slave support kerberos based authentication? If not, when can we be expecting this functionality?

kdelibs depends on kerberos for me, so I assume so.

Well then, a better question might be, why can't I get dolphin to take advantage of kerberos based authentication when navigating to an sftp location?

Upon further review, I *can* get Dolphin to open an svn repo on a server that uses kerberos based authentication without any trouble (e.g. svn+ssh://<machine>/<svn directory> in the address bar), but when I try to open an sftp session with the same machine (e.g. sftp://<machine>) I am prompted for a password (despite having kerberos credentials).

And of course, my openssh ssh client (and the sftp client) have no trouble taking advantage of the credentials... but, I assume that openssh supports all authentication known to man.

I had always assumed it was the kioslave that was the problem, but perhaps I'm just missing something.

Which version of KDE are you using? If you are using KDE 4.3.0 or above, please file a bug with libssh, who provide the sftp functionality used in the sftp kioslave. If you are using anything below 4.3, please update.

Ok, but before I submit this as a bug, I want to make sure that it is in fact a bug and not merely a feature request. Also, I want to make sure I file a bug for the correct component (so please reply and let me know). Let me try to be as precise as possible in describing the behavior:

I am using kde 4.4.1 (more specific version info to follow)

When I ssh <machine> or sftp <machine> I do not have to enter a password; my keberos credentials are sufficient.

When I use Dolphin to navigate to svn+ssh://<machine>/<my_svn_repo> I do not have to enter a password; my kerberos credentials are sufficient.

When I use Dolphin to navigate to sftp://<machine> I *do* have to enter a password (but I shouldn't).

Dolphin (correctly) works with other "alternative" methods of authentication. When I navigate to sftp://<other_machine> where I have an ssh keypair (held by ssh-agent, using ssh-add), I do not have to enter a password.

My versions of ssh, sftp, ssh-agent, ssh-add, etc. are all from OpenSSH, v 5.1p1-40.15i586
My version of kio_sftp.so comes from the package kdebase4-runtime, v 4.4.1-193.3-i586
kio_sftp.so links with libssh.so.4 from the package libssh4 v 0.3.92-6.9-i586
I upgraded libssh4 to v 0.4.1-9.2-i586. This had no effect.

libssh.so.4 does *not* seem to link (dynamically, at least) with any kerberos libraries. (NOTE: the memory locations have been omitted from the output):
[joshlaptop ~]$ ldd /usr/lib/libssh.so.4
linux-gate.so.1 => ()
libnsl.so.1 => /lib/libnsl.so.1 ()
libresolv.so.2 => /lib/libresolv.so.2 ()
librt.so.1 => /lib/librt.so.1 ()
libz.so.1 => /lib/libz.so.1 ()
libcrypto.so.0.9.8 => /usr/lib/libcrypto.so.0.9.8 ()
libc.so.6 => /lib/libc.so.6 ()
libpthread.so.0 => /lib/libpthread.so.0 ()
/lib/ld-linux.so.2 ()
libdl.so.2 => /lib/libdl.so.2 ()

Similarly, kio_sftp does not seem to link with any kerberos libraries. The following produced no output:
[joshlaptop ~]$ ldd /usr/lib/kde4/kio_sftp.so | grep krb

Finally, both ssh and sftp (from the OpenSSH package mentioned above link with several kerberos libraries) link with several kerberos libraries:
[joshlaptop ~]$ ldd /usr/bin/ssh | grep krb
libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 ()
libkrb5.so.3 => /usr/lib/libkrb5.so.3 ()
libkrb5support.so.0 => /usr/lib/libkrb5support.so.0 ()

[joshlaptop ~]$ ldd /usr/bin/sftp | grep krb
libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 ()
libkrb5.so.3 => /usr/lib/libkrb5.so.3 ()
libkrb5support.so.0 => /usr/lib/libkrb5support.so.0 ()

It is the responsibility of libssh to handle the secure channel and authentication, therefore you need to file a feature request with the libssh developers for this to be fixed, as it appears that they have not implemented Kerberos authentication.

It looks like this is already in their development schedule.

GSSAPI support is planned for version five; no word on the timeline:
http://dev.libssh.org/ticket/15

With GSSAPI, I would /guess/ that one of the underlying authentication methods will be kerberos, but I really don't know too much about these things. It /seems/ that the OpenSSH utilities on my machine rely on GSSAPI to interface with the kerberos libraries since they link with libgssapi_krb5.so.2 (see above).

Oddly enough (this probably isn't odd to someone who knows more about these things) kio_svn.so does not link with libssh (or libgssapi for that matter). It appears that it somehow provides kerberos support for svn+ssh:// via other mechanisms. kio_sftp is apparently not involved.