the k5login facility allows user to grant each other access if the so wish by creating a .k5login file in their home directory.
This is a powerful feature, but also a dangerous one, we should limit it by default, and let admins change/remove the option if they actually want to trust users with this feature.
I suggest we create a /var/lib/ipa/k5login directory owned by root and set k5login_directory to that value on ipa-client-install.
I do not see the value in this restriction yet. If user wants to give access to his home direcotry to other parties, he is free to do it and we should not restrict him.
He can as well add other SSH public keys to .ssh/authorized_keys or share his password. It looks the same to me. So I was not sure why should the Kerberos be treated differently.
The admin can as well restrict keys and use 2FA/Smartcards to prevent password sharing.
Ideally we'd have a global policy in IPA that can be pushed down to clients that can restrict this feature, but we do not do file based policies for now.
Metadata Update from @simo: - Issue assigned to someone - Issue set to the milestone: Ticket Backlog
Login to comment on this ticket.