This should be a reasonable approach. For all machines that are being logged into using gssapi krb5, those machines must have been issued a Kerberos principal and they must have a keytab. Assign the principal an AFS ID and then use a program such as kstart to obtain and maintain a AFS token in the PAG within which the sshd resides. Add the AFS ID to a an AFS group and provide that group rl privileges on the top level directory of the home volume. This will provide the sshd the ability to read the directory without requiring that the directory be world readable.
Now if you want to lock things down a bit more, move all of the dot files to a new directory on which 'rl' is granted for the group and instead give the group 'l' privilege on the top-level directory and place symlinks from the top-level directory to the real dot files. This will prevent sshd from being able to read any of the files in the top-level directory but it will be able to follow the symlinks to read the dot files that it requires. Jeffrey Altman
smime.p7s
Description: S/MIME Cryptographic Signature
