How would an attacker gain access to the path to a user's home directory? The path to .k5login can alternatively be configured via [libdefaults] k5login_directory, but it seems very unlikely that an administrator would set that path to something underneath /tmp or similar. Also, what would be the adverse security impact of making the .k5login appear to exist at one moment but then be unopenable when the code tries to open it? It seems like that would just cause the localauth operation to deny access. I moderated this through because I don't think there is actually a security issue, but please use krbcore-security@mit.edu to report bugs which you believe are exploitable.