Using an alternate principal for ssh

[Dan Mahoney]

All,

In the dayjob, many apps default to the kerberos principal, and we'd like to make ssh (whether used with kinit and gssapi auth, or with a typed-password, via KerberosAuthentication, or PAM) use a different principal, say user/ssh at REALM, such that if you mistype your wiki password or your webmail password, you don't magically gain SSH access to All The Things?

On most of our boxes, ssh is the ONLY kerberized app, but there's no provision in krb5.conf to say what the default principal based on a username is.  None of the PAM modules seem to be able to set it, either.  I conjured up an elaborate way to do this by forcing the .k5logindir to be something the users couldn't touch, and forcing a create for each user, but this doesn't help the password case.

Does anyone know of a simple way to accomplish this?  There are some clients, like mobile ones, where, VPN or no, kinit'ing is not an option.

-Dan