From nobody Mon Nov 24 06:23:22 2025
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dFG3b2djRz6J8tv
	for <dev-commits-src-all@mlmmj.nyi.freebsd.org>; Mon, 24 Nov 2025 06:23:23 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4dFG3Z6Cwtz3rHc
	for <dev-commits-src-all@FreeBSD.org>; Mon, 24 Nov 2025 06:23:22 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1763965402;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=fR7pPERrrCwb1PHOX6+rqKUVEJ8e/YEBiwroby0eNT8=;
	b=ACEUF0yuv1dfRWx+W6KSxitV3WRTRCKHGglZZO9EzcESMn3ndCJQ2jz2tCh+ShaYYYYcsE
	KhEsCAbKl83yDmTH1SLtFHASBHWBi0Z+bPykPciYVdue19m+teDbqrfo4jVVnNHabSbnCN
	VMYxVaX9uKTu2t4vQ2TsFydyeDJMlC4w8ajyPY2TbemXpq/wTCIsl9diqK/ntDTbINfWtb
	+qrndRg1RJtsnO5itSz5Lg+mE77MOcvkopCR2OstEeyDUA5g1Q6rq6F2ypXg+uFRCehcUb
	cBj5tHtIEn7RO1QdoPrmFrLdwJOjZPXtRbvFd4BV7yEsiMfz7zE54TJzv+z1aw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1763965402;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=fR7pPERrrCwb1PHOX6+rqKUVEJ8e/YEBiwroby0eNT8=;
	b=sI+KsGr05v16kUGTinstCpGUNCYxFB5ZLPtBO7F1dTM4YQuC8Md+B7V8kjn+O+1QH6essE
	JYVR41GT1tiLYyEEvjmMb9qU7+Obi5LIPkEkdFOlI46tsgC/C2hPqYYbLVrjMRK1BgsX21
	KeuQ1d2Zq/GeNejJWw74ITC9Mf/Aj3ekazhliBI1SI7OKkjtPQ8oBOnfitlQkvfgTdTnzQ
	0sAPMpEReyjLJKa9q3mXeK8+5eKQvBDjzMycm2KCs0tcPeQ0kvyLp4HzI53BI3l4+WlXlJ
	alx2CaDjGLDzBcNiS3VYI8yas8L0mROcit4kTCz4evBouaa6LK9NBE5lVW6bCw==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1763965402; a=rsa-sha256; cv=none;
	b=ncm7PSCk+aUdasXXtnX9FJakDoxE+rE2ppJg/ghoDgO+TbbA5cy7hKgRf6qXnVuV9RU64V
	1zrM3kEg6L+0/4X5rSzC6ajGxcdjTpksvjucmvhOFSO3fjPphNbyCvtLMWDzvxqf2FxMWI
	3371188UiAfLro1LnjfGNWr4R2knHBxZLv6BDncEK+WXJ86SHFrUY1ldgDkTh6LUVufgLC
	pf6yJCjKHiUEH9OAKUbXm+j2oD8e2lncVdO/yBzBY8j7pTJ7uS6zdgOYR0kKfC2L+fCrbd
	v0pNO+MlsY+HXndtjTPmJzLawxtsq/JuznDoPFpGbq74ydlLl2JqYHsw4u9Ojw==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4dFG3Z5mVQz12jH
	for <dev-commits-src-all@FreeBSD.org>; Mon, 24 Nov 2025 06:23:22 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from git (uid 1279)
	(envelope-from git@FreeBSD.org)
	id 2237e
	by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org);
	Mon, 24 Nov 2025 06:23:22 +0000
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Cc: Dag-Erling=?utf-8?Q? Sm=C3=B8rg?=rav <des@FreeBSD.org>
From: Colin Percival <cperciva@FreeBSD.org>
Subject: git: 8fdafb396677 - releng/15.0 - pam_krb5: Restore allow_kdc_spoof option
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-all@freebsd.org
Sender: owner-dev-commits-src-all@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: cperciva
X-Git-Repository: src
X-Git-Refname: refs/heads/releng/15.0
X-Git-Reftype: branch
X-Git-Commit: 8fdafb396677a616c4899b1d1de29a3aa611dfa6
Auto-Submitted: auto-generated
Date: Mon, 24 Nov 2025 06:23:22 +0000
Message-Id: <6923f9da.2237e.48dfcd6f@gitrepo.freebsd.org>

The branch releng/15.0 has been updated by cperciva:

URL: https://cgit.FreeBSD.org/src/commit/?id=8fdafb396677a616c4899b1d1de29a3aa611dfa6

commit 8fdafb396677a616c4899b1d1de29a3aa611dfa6
Author:     Dag-Erling Smørgrav <des@FreeBSD.org>
AuthorDate: 2025-11-24 02:40:29 +0000
Commit:     Colin Percival <cperciva@FreeBSD.org>
CommitDate: 2025-11-24 06:23:08 +0000

    pam_krb5: Restore allow_kdc_spoof option
    
    Not only does the new pam_krb5 module not have the same allow_kdc_spoof
    option that the old one had, its behavior in this matter defaults to
    insecure.  Reimplement allow_kdc_spoof and switch the default back.
    
    Approved by:    re (cperciva)
    Reviewed by:    cy
    Differential Revision:  https://reviews.freebsd.org/D53884
    
    (cherry picked from commit fe5c8baf25a5b40285c3ef85b69391d591e4a76c)
    (cherry picked from commit 2eb030d1c8f1f307c2e0570538633d4e0822a4ff)
---
 contrib/pam-krb5/docs/pam_krb5.pod | 15 +++++++++------
 contrib/pam-krb5/module/auth.c     |  6 ++++++
 contrib/pam-krb5/module/internal.h |  3 +++
 contrib/pam-krb5/module/options.c  |  3 +++
 4 files changed, 21 insertions(+), 6 deletions(-)

diff --git a/contrib/pam-krb5/docs/pam_krb5.pod b/contrib/pam-krb5/docs/pam_krb5.pod
index 024584dfd4cd..f352af71b553 100644
--- a/contrib/pam-krb5/docs/pam_krb5.pod
+++ b/contrib/pam-krb5/docs/pam_krb5.pod
@@ -57,12 +57,10 @@ is vulnerable to KDC spoofing, but it requires that the system have a
 local key and that the PAM module be running as a user that can read the
 keytab file (normally F</etc/krb5.keytab>.  You can point the Kerberos PAM
 module at a different keytab with the I<keytab> option.  If that keytab
-cannot be read or if no keys are found in it, the default (potentially
-insecure) behavior is to skip this check.  If you want to instead fail
-authentication if the obtained tickets cannot be checked, set
-C<verify_ap_req_nofail> to true in the [libdefaults] section of
-F</etc/krb5.conf>.  Note that this will affect applications other than
-this PAM module.
+cannot be read or if no keys are found in it, the default behavior is to
+fail authentication. If you want to skip this check, set the
+C<allow_kdc_spoof> option to true either in the [appdefaults] section of
+F</etc/krb5.conf> or in the PAM policy.
 
 By default, whenever the user is authenticated, a basic authorization
 check will also be done using krb5_kuserok().  The default behavior of
@@ -218,6 +216,11 @@ pam-krb5 in which that option was added with the current meaning.
 
 =over 4
 
+=item allow_kdc_spoof
+
+Allow authentication to succeed even if there is no host or service
+key available in a keytab to authenticate the Kerberos KDC's ticket.
+
 =item alt_auth_map=<format>
 
 [3.12] This functions similarly to the I<search_k5login> option.  The
diff --git a/contrib/pam-krb5/module/auth.c b/contrib/pam-krb5/module/auth.c
index 065ce97b6596..46f2be791000 100644
--- a/contrib/pam-krb5/module/auth.c
+++ b/contrib/pam-krb5/module/auth.c
@@ -696,6 +696,12 @@ verify_creds(struct pam_args *args, krb5_creds *creds)
         if (cursor_valid)
             krb5_kt_end_seq_get(c, keytab, &cursor);
     }
+#ifdef __FreeBSD__
+    if (args->config->allow_kdc_spoof)
+	opts.flags &= ~KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL;
+    else
+	opts.flags |= KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL;
+#endif /* __FreeBSD__ */
     retval = krb5_verify_init_creds(c, creds, princ, keytab, NULL, &opts);
     if (retval != 0)
         putil_err_krb5(args, retval, "credential verification failed");
diff --git a/contrib/pam-krb5/module/internal.h b/contrib/pam-krb5/module/internal.h
index f3ea30139815..c797f7a56cd3 100644
--- a/contrib/pam-krb5/module/internal.h
+++ b/contrib/pam-krb5/module/internal.h
@@ -62,6 +62,9 @@ struct pam_config {
     long minimum_uid;    /* Ignore users below this UID. */
     bool only_alt_auth;  /* Alt principal must be used. */
     bool search_k5login; /* Try password with each line of .k5login. */
+#ifdef __FreeBSD__
+    bool allow_kdc_spoof;/* Allow auth even if KDC cannot be verified */
+#endif /* __FreeBSD__ */
 
     /* Kerberos behavior. */
     char *fast_ccache;           /* Cache containing armor ticket. */
diff --git a/contrib/pam-krb5/module/options.c b/contrib/pam-krb5/module/options.c
index 799b3a33e168..0118fb451af6 100644
--- a/contrib/pam-krb5/module/options.c
+++ b/contrib/pam-krb5/module/options.c
@@ -30,6 +30,9 @@
 #define K(name) (#name), offsetof(struct pam_config, name)
 /* clang-format off */
 static const struct option options[] = {
+#ifdef __FreeBSD__
+    { K(allow_kdc_spoof),    true,  BOOL   (false) },
+#endif /* __FreeBSD__ */
     { K(alt_auth_map),       true,  STRING (NULL)  },
     { K(anon_fast),          true,  BOOL   (false) },
     { K(banner),             true,  STRING ("Kerberos") },