It would be nice to have information which principal was used for log in via .k5login. E.g. 'gitolite' uses by default ssh public keys (where real identity can be easily recorded by environment/commands in ~/.ssh/authorized_keys) and it will be trivial to implement a similar mechanism for kerberos auth, when original principal is exported somehow. A patch is available at http://geggus.net/sven/blogfiles/GSS_AUTH_KRB5_PRINC-env4openssh.diff See http://blog.gegg.us/2012/07/using-gitolite-with-kerberos-authentication/ https://groups.google.com/forum/?fromgroups=#!topic/comp.protocols.kerberos/6b7tSA-og0k for some more discussions.
For scripts.mit.edu we wrote this patch that doesn’t specifically depend on PAM or krb5: https://scripts.mit.edu/trac/browser/trunk/server/common/patches/openssh-4.7p1-gssapi-name-in-env.patch
Created attachment 2580 [details] Patch from openssh-portable tree at commit e7bf3a5eda I've also got a patch for this. This patch was made from the current openssh-portable tree, as of commit e7bf3a5eda. This patch introduces a new option, GSSAPISetEnv. By default, the option is disabled. If the option is enabled, then the environment variable SSH_GSSAPI_DISPLAYNAME will be set when the user authenticates using GSSAPI. The environment variable is also made available to the PAM environment, if PAM is enabled. In my case, I went for the GSSAPI display name because I saw it was being used in debug messages (gss-serv-krb5.c lines 104-105). I also saw the display name being made available in gsasl (http://www.gnu.org/software/gsasl/manual/html_node/Properties.html, talking about the GSASL_GSSAPI_DISPLAY_NAME property).
This feature should be welcome for me too. Is there any reason why the patches are not accepted ?
Circling back around to this bug. Any chance this could be considered for a future release?