Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Content-Length: 792

<div dir="ltr"><div><div><div><div>Hello<br><br></div>As per our understanding, .k5login file is similar to ssh authorized_keys. A user put his keys in the authorized_keys file to ssh to a server without password. <br><br>However ssh correctly check that only the ownerhas write access (600) to authorized_keys but the same check is not perform for k5login file. Anybody with write access to another user&#39;s home directory could potentially add a .k5login file with his kerberos id to take control of that user. <br><br></div>Basically, in userok_k5login function, we do have a check to verify if .k5login file is owned either by the user or root. Can we also have a additional check to verify the permissions of this file to be at 600 ?<br><br></div>Thanks<br><br></div>Sandeep<br></div>