Index: src/usr.bin/ssh/sshconnect1.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/sshconnect1.c,v
retrieving revision 1.41.2.1
diff -u -r1.41.2.1 sshconnect1.c
--- src/usr.bin/ssh/sshconnect1.c	2002/03/07 17:37:48	1.41.2.1
+++ src/usr.bin/ssh/sshconnect1.c	2002/03/10 03:23:11
@@ -682,13 +682,13 @@
 #endif /* KRB5 */
 
 #ifdef AFS
-static void
+static int
 send_krb4_tgt(void)
 {
 	CREDENTIALS *creds;
 	struct stat st;
 	char buffer[4096], pname[ANAME_SZ], pinst[INST_SZ], prealm[REALM_SZ];
-	int problem, type;
+	int problem, type, sent = 0;
 
 	/* Don't do anything if we don't have any tickets. */
 	if (stat(tkt_string(), &st) < 0)
@@ -717,28 +717,30 @@
 
 	type = packet_read();
 
-	if (type == SSH_SMSG_SUCCESS)
+	if (type == SSH_SMSG_SUCCESS) {
 		debug("Kerberos v4 TGT forwarded (%s%s%s@%s).",
 		    creds->pname, creds->pinst[0] ? "." : "",
 		    creds->pinst, creds->realm);
-	else
+		sent = 1;
+	} else
 		debug("Kerberos v4 TGT rejected.");
 
 	xfree(creds);
-	return;
+	return sent;
 
  out:
 	debug("Kerberos v4 TGT passing failed: %s", krb_err_txt[problem]);
 	xfree(creds);
+	return sent;
 }
 
-static void
+static int
 send_afs_tokens(void)
 {
 	CREDENTIALS creds;
 	struct ViceIoctl parms;
 	struct ClearToken ct;
-	int i, type, len;
+	int i, type, len, sent = 0;
 	char buf[2048], *p, *server_cell;
 	char buffer[8192];
 
@@ -799,7 +801,10 @@
 			debug("AFS token for cell %s rejected.", server_cell);
 		else if (type != SSH_SMSG_SUCCESS)
 			packet_disconnect("Protocol error on AFS token response: %d", type);
+		else
+			sent++;
 	}
+	return sent;
 }
 
 #endif /* AFS */
@@ -1092,6 +1097,9 @@
 ssh_userauth1(const char *local_user, const char *server_user, char *host,
     Key **keys, int nkeys)
 {
+#ifdef AFS
+	int sent_tgt = 0, sent_token = 0;
+#endif
 #ifdef KRB5
 	krb5_context context = NULL;
 	krb5_auth_context auth_context = NULL;
@@ -1120,6 +1128,23 @@
 	if (type != SSH_SMSG_FAILURE)
 		packet_disconnect("Protocol error: got %d in response to SSH_CMSG_USER", type);
 
+#ifdef AFS
+	/* Try Kerberos v4 TGT passing if the server supports it. */
+	if ((supported_authentications & (1 << SSH_PASS_KERBEROS_TGT)) &&
+	    options.kerberos_tgt_passing) {
+		if (options.cipher == SSH_CIPHER_NONE)
+			log("WARNING: Encryption is disabled! Ticket will be transmitted in the clear!");
+		sent_tgt = send_krb4_tgt();
+	}
+	/* Try AFS token passing if the server supports it. */
+	if ((supported_authentications & (1 << SSH_PASS_AFS_TOKEN)) &&
+	    options.afs_token_passing && k_hasafs()) {
+		if (options.cipher == SSH_CIPHER_NONE)
+			log("WARNING: Encryption is disabled! Token will be transmitted in the clear!");
+		sent_token = send_afs_tokens();
+	}
+#endif /* AFS */
+
 #ifdef KRB5
 	if ((supported_authentications & (1 << SSH_AUTH_KERBEROS)) &&
 	    options.kerberos_authentication) {
@@ -1238,14 +1263,14 @@
 #ifdef AFS
 	/* Try Kerberos v4 TGT passing if the server supports it. */
 	if ((supported_authentications & (1 << SSH_PASS_KERBEROS_TGT)) &&
-	    options.kerberos_tgt_passing) {
+	    options.kerberos_tgt_passing && !sent_tgt) {
 		if (options.cipher == SSH_CIPHER_NONE)
 			log("WARNING: Encryption is disabled! Ticket will be transmitted in the clear!");
 		send_krb4_tgt();
 	}
 	/* Try AFS token passing if the server supports it. */
 	if ((supported_authentications & (1 << SSH_PASS_AFS_TOKEN)) &&
-	    options.afs_token_passing && k_hasafs()) {
+	    options.afs_token_passing && k_hasafs() && !sent_token) {
 		if (options.cipher == SSH_CIPHER_NONE)
 			log("WARNING: Encryption is disabled! Token will be transmitted in the clear!");
 		send_afs_tokens();