Created attachment 190054 [details]
RedHat patched this. It would be nice if we did the same:
They give the ability to *disable* this feature entirely, which is what I was trying to do, as well as added some extra safetybelts.
Attaching relevant patches that RedHat has cooked up for Kerberos.
Created attachment 190055 [details]
Option to control k5users in sshd.conf
Created attachment 190056 [details]
restore the usage of krb5_kuserok() so that localauth plugins can be used
Created attachment 190057 [details]
additional .k5users and .k5login checks to compliment previous patches
This also breaks gssapi-with-mic if your user homedir is locked down with mode 700.
The current behavior is consistent with krb5.
Could the RH patches be an option in the security/openssh-portable port?