Page MenuHomeFreeBSD
Differential D52478

krb5: Enable PRINC_LOOK_AHEAD in ksu
ClosedPublic
Actions

Authored by cy on Sep 10 2025, 8:23 PM.
Tags
None
Referenced Files
Unknown Object (File)
Thu, Oct 16, 6:17 PM
Unknown Object (File)
Fri, Oct 10, 11:30 PM
Unknown Object (File)
Fri, Oct 10, 11:30 PM
Unknown Object (File)
Fri, Oct 10, 11:29 PM
Unknown Object (File)
Fri, Oct 10, 5:10 PM
Unknown Object (File)
Wed, Oct 8, 5:56 PM
Unknown Object (File)
Tue, Oct 7, 2:59 PM
Unknown Object (File)
Sep 13 2025, 1:13 PM
View All 12 Files
Subscribers
cperciva
freebsd_gushi.org
imp
releng

Details

Reviewers
des
ivy
Group Reviewers
krb5
Commits
rGb36435210a1e: krb5: Enable PRINC_LOOK_AHEAD in ksu
rGb0e7b55a0e90: krb5: Enable PRINC_LOOK_AHEAD in ksu
Summary

PRINC_LOOK_AHEAD is the upstream default. Normally ksu determines the
target princiapl by (quoted from the man page)

a. default principal of the source cache

b. target_user@local_realm

c. source_user@local_realm

With PRINC_LOOK_AHEAD emabled, for each candidate in the above
list, select an authorized principal that has the same realm name
and first part of the principal name equal to the prefix of the
candidate. For example if candidate a) is jqpublic@ISI.EDU and
jqpublic/secure@ISI.EDU is authorized to access the target account
then the default principal is set to jqpublic/secure@ISI.EDU.

Case 2: source user is root.

If the target user is non-root then the default principal name
is target_user@local_realm. Else, if the source cache exists
the default principal name is set to the default principal of
the source cache. If the source cache does not exist, default
principal name is set to root\@local_realm.

Reported by: Dan Mahoney <dmahoney@isc.org>
MFC after: 3 days
MFC to: 15/stable

Test Plan

Running here locally.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

cy created this revision.Sep 10 2025, 8:23 PM
Herald added a subscriber: imp. · View Herald TranscriptSep 10 2025, 8:23 PM
cy requested review of this revision.Sep 10 2025, 8:23 PM
Harbormaster completed remote builds in B66957: Diff 161877.Sep 10 2025, 8:23 PM
cy edited the test plan for this revision. (Show Details)Sep 10 2025, 8:25 PM
cy added reviewers: des, ivy, krb5.
cy added subscribers: cperciva, releng.
freebsd_gushi.org added a subscriber: freebsd_gushi.org.Sep 11 2025, 4:27 AM

I'm original reporter (note, I use not-isc-email for Project stuff). I've confirmed this works and restores previous behavior as with heimdal ksu.

This revision was not accepted when it landed; it landed in state Needs Review.Sep 12 2025, 2:33 PM
Closed by commit rGb0e7b55a0e90: krb5: Enable PRINC_LOOK_AHEAD in ksu (authored by cy). · Explain Why
This revision was automatically updated to reflect the committed changes.
cy added a commit: rGb0e7b55a0e90: krb5: Enable PRINC_LOOK_AHEAD in ksu.
cy added a commit: rGb36435210a1e: krb5: Enable PRINC_LOOK_AHEAD in ksu.Sep 14 2025, 3:21 PM

Revision Contents
Changeset List

PathSize
krb5/
usr.bin/
ksu/
3 lines

Diff 161949

View Options

krb5/usr.bin/ksu/Makefile

Loading...