diff --git a/lib/libpam/modules/pam_ksu/Makefile b/lib/libpam/modules/pam_ksu/Makefile
--- a/lib/libpam/modules/pam_ksu/Makefile
+++ b/lib/libpam/modules/pam_ksu/Makefile
@@ -25,10 +25,21 @@
 
 PACKAGE=	kerberos
 
+.include <src.opts.mk>
+
 LIB=	pam_ksu
 SRCS=	pam_ksu.c
 MAN=	pam_ksu.8
+WARNS?=	3
 
 LIBADD+=	krb5
 
+.if ${MK_MITKRB5} != "no"
+WARNS=	2
+CFLAGS+=	-I${SRCTOP}/crypto/krb5/src/include
+CFLAGS+=	-I${SRCTOP}/krb5/include
+CFLAGS+=	-include ${SRCTOP}/crypto/krb5/src/include/k5-int.h
+CFLAGS+=	-DMK_MITKRB5=yes
+.endif
+
 .include <bsd.lib.mk>
diff --git a/lib/libpam/modules/pam_ksu/pam_ksu.c b/lib/libpam/modules/pam_ksu/pam_ksu.c
--- a/lib/libpam/modules/pam_ksu/pam_ksu.c
+++ b/lib/libpam/modules/pam_ksu/pam_ksu.c
@@ -48,6 +48,61 @@
 static int	auth_krb5(pam_handle_t *, krb5_context, const char *,
 		    krb5_principal);
 
+#ifdef MK_MITKRB5
+/* For MIT KRB5 only. */
+
+/*
+ * XXX This entire module will need to be rewritten when heimdal
+ * XXX compatidibility is no longer needed.
+ */
+#define KRB5_DEFAULT_CCFILE_ROOT "/tmp/krb5cc_"
+#define KRB5_DEFAULT_CCROOT "FILE:" KRB5_DEFAULT_CCFILE_ROOT
+
+/*
+ * XXX We will replace krb5_build_principal_va() with
+ * XXX krb5_build_principal_alloc_va() when Heimdal is finally
+ * XXX removed.
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_build_principal_va(krb5_context context,
+			krb5_principal princ,
+			unsigned int rlen,
+			const char *realm,
+			va_list ap);
+typedef char *heim_general_string;
+typedef heim_general_string Realm;
+typedef Realm krb5_realm;
+typedef const char *krb5_const_realm;
+
+static krb5_error_code
+krb5_make_principal(krb5_context context, krb5_principal principal,
+	krb5_const_realm realm, ...)
+{
+	krb5_error_code rc;
+	va_list ap;
+	if (realm == NULL) {
+		krb5_realm temp_realm = NULL;
+		if ((rc = krb5_get_default_realm(context, &temp_realm)))
+			return (rc);
+		realm=temp_realm;
+		if (temp_realm)
+			free(temp_realm);
+	}
+	va_start(ap, realm);
+	/*
+	 * XXX Ideally we should be using krb5_build_principal_alloc_va()
+	 * XXX here because krb5_build_principal_va() is deprecated. But,
+	 * XXX this would require changes elsewhere in the calling code
+	 * XXX to call krb5_free_principal() elsewhere to free the
+	 * XXX principal. We can do that after Heimdal is removed from
+	 * XXX our tree.
+	 */
+	rc = krb5_build_principal_va(context, principal, strlen(realm), realm, ap);
+	va_end(ap);
+	return (rc);
+}
+#endif
+
 PAM_EXTERN int
 pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
     int argc __unused, const char *argv[] __unused)
@@ -217,7 +272,13 @@
 	if (rv != 0)
 		return (errno);
 	if (default_principal == NULL) {
+#ifdef MK_MITKRB5
+		/* For MIT KRB5. */
+		rv = krb5_make_principal(context, default_principal, NULL, current_user, NULL);
+#else
+		/* For Heimdal. */
 		rv = krb5_make_principal(context, &default_principal, NULL, current_user, NULL);
+#endif
 		if (rv != 0) {
 			PAM_LOG("Could not determine default principal name.");
 			return (rv);