It would be nice to have information which principal was used for log in
via .k5login. Tools such as gitolite utilize the identity information provided by the login to further delegate specific rights.
Can a sshd_config option to export export principal which was used for .k5login be added?
Upstream bug report with a few viable patches: https://bugzilla.mindrot.org/show_bug.cgi?id=2063 In particular comment#2 and the associated patch look to be exactly what should work here.
The patch looks good, but I would rather see it accepted upstream before adding another downstream patch to RHEL7.
It doesn't look like anyone upstream is assigned to shepherd the patch into the tree.
This issue was not selected to be included either in Red Hat Enterprise Linux 7.7 because it is seen either as low or moderate impact to a small amount of use-cases. The next release will be in Maintenance Support 1 Phase, which means that qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available. We will now close this issue, but if you believe that it qualifies for the Maintenance Support 1 Phase, please re-open; otherwise we recommend moving the request to Red Hat Enterprise Linux 8 if applicable.
RHEL7 already contains similar option ExposeAuthenticationMethods, which creates a similar variables SSH_USER_AUTH for PAM and user session if configured. Unfortunately, it is not completely backward compatible with the one in RHEL8, but it should do the job.