Page MenuHomeFreeBSD
Differential D53884

pam_krb5: Restore allow_kdc_spoof option
ClosedPublic
Actions

Authored by des on Nov 22 2025, 4:57 PM.
Tags
None
Referenced Files
Unknown Object (File)
Dec 15 2025, 9:57 PM
Unknown Object (File)
Dec 11 2025, 1:04 PM
Unknown Object (File)
Dec 8 2025, 12:54 PM
Unknown Object (File)
Dec 4 2025, 8:39 AM
Unknown Object (File)
Dec 3 2025, 8:07 AM
Unknown Object (File)
Nov 30 2025, 3:05 AM
Unknown Object (File)
Nov 29 2025, 10:33 AM
Unknown Object (File)
Nov 28 2025, 8:11 PM
View All 24 Files
Subscribers
cperciva
imp

Details

Reviewers
cy
ivy
Group Reviewers
security
Commits
rG8fdafb396677: pam_krb5: Restore allow_kdc_spoof option
rG2eb030d1c8f1: pam_krb5: Restore allow_kdc_spoof option
rGfe5c8baf25a5: pam_krb5: Restore allow_kdc_spoof option
Summary

Not only does the new pam_krb5 module not have the same allow_kdc_spoof
option that the old one had, its behavior in this matter defaults to
insecure. Reimplement allow_kdc_spoof and switch the default back.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

des created this revision.Nov 22 2025, 4:57 PM
Herald added a subscriber: imp. · View Herald TranscriptNov 22 2025, 4:57 PM
des requested review of this revision.Nov 22 2025, 4:57 PM
des added a child revision: D53885: pam_krb5: Fix manual page in MIT case.
des added a comment.Nov 22 2025, 4:58 PM

Note that this patch updates the source for the documentation but not the mdoc file that we actually install; see D53885 for that.

Harbormaster completed remote builds in B68808: Diff 166968.Nov 22 2025, 4:58 PM
cy accepted this revision as: cy.Nov 23 2025, 3:11 PM
This revision is now accepted and ready to land.Nov 23 2025, 3:11 PM
cperciva added a subscriber: cperciva.Nov 23 2025, 11:28 PM

@des Please commit this and MFC to stable/15 ASAP so I can get it into 15.0-RC4 builds on Monday.

des added a comment.Nov 24 2025, 1:01 AM

I am not committing this without the documentation, which has still not been approved.

Closed by commit rGfe5c8baf25a5: pam_krb5: Restore allow_kdc_spoof option (authored by des). · Explain WhyNov 24 2025, 2:41 AM
This revision was automatically updated to reflect the committed changes.
des added a commit: rGfe5c8baf25a5: pam_krb5: Restore allow_kdc_spoof option.
des added a commit: rG2eb030d1c8f1: pam_krb5: Restore allow_kdc_spoof option.Nov 24 2025, 3:15 AM
cperciva added a commit: rG8fdafb396677: pam_krb5: Restore allow_kdc_spoof option.Nov 24 2025, 6:23 AM

Revision Contents
Changeset List

PathSize
contrib/
pam-krb5/
docs/
15 lines
module/
6 lines
3 lines
3 lines

Diff 167003

View Options

contrib/pam-krb5/docs/pam_krb5.pod

Loading...
View Options

contrib/pam-krb5/module/auth.c

Loading...
View Options

contrib/pam-krb5/module/internal.h

Loading...
View Options

contrib/pam-krb5/module/options.c

Loading...