diff --git a/contrib/pam-krb5/docs/pam_krb5.pod b/contrib/pam-krb5/docs/pam_krb5.pod --- a/contrib/pam-krb5/docs/pam_krb5.pod +++ b/contrib/pam-krb5/docs/pam_krb5.pod @@ -57,12 +57,10 @@ local key and that the PAM module be running as a user that can read the keytab file (normally F. You can point the Kerberos PAM module at a different keytab with the I option. If that keytab -cannot be read or if no keys are found in it, the default (potentially -insecure) behavior is to skip this check. If you want to instead fail -authentication if the obtained tickets cannot be checked, set -C to true in the [libdefaults] section of -F. Note that this will affect applications other than -this PAM module. +cannot be read or if no keys are found in it, the default behavior is to +fail authentication. If you want to skip this check, set the +C option to true either in the [appdefaults] section of +F or in the PAM policy. By default, whenever the user is authenticated, a basic authorization check will also be done using krb5_kuserok(). The default behavior of @@ -218,6 +216,11 @@ =over 4 +=item allow_kdc_spoof + +Allow authentication to succeed even if there is no host or service +key available in a keytab to authenticate the Kerberos KDC's ticket. + =item alt_auth_map= [3.12] This functions similarly to the I option. The diff --git a/contrib/pam-krb5/module/auth.c b/contrib/pam-krb5/module/auth.c --- a/contrib/pam-krb5/module/auth.c +++ b/contrib/pam-krb5/module/auth.c @@ -696,6 +696,12 @@ if (cursor_valid) krb5_kt_end_seq_get(c, keytab, &cursor); } +#ifdef __FreeBSD__ + if (args->config->allow_kdc_spoof) + opts.flags &= ~KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL; + else + opts.flags |= KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL; +#endif /* __FreeBSD__ */ retval = krb5_verify_init_creds(c, creds, princ, keytab, NULL, &opts); if (retval != 0) putil_err_krb5(args, retval, "credential verification failed"); diff --git a/contrib/pam-krb5/module/internal.h b/contrib/pam-krb5/module/internal.h --- a/contrib/pam-krb5/module/internal.h +++ b/contrib/pam-krb5/module/internal.h @@ -62,6 +62,9 @@ long minimum_uid; /* Ignore users below this UID. */ bool only_alt_auth; /* Alt principal must be used. */ bool search_k5login; /* Try password with each line of .k5login. */ +#ifdef __FreeBSD__ + bool allow_kdc_spoof;/* Allow auth even if KDC cannot be verified */ +#endif /* __FreeBSD__ */ /* Kerberos behavior. */ char *fast_ccache; /* Cache containing armor ticket. */ diff --git a/contrib/pam-krb5/module/options.c b/contrib/pam-krb5/module/options.c --- a/contrib/pam-krb5/module/options.c +++ b/contrib/pam-krb5/module/options.c @@ -30,6 +30,9 @@ #define K(name) (#name), offsetof(struct pam_config, name) /* clang-format off */ static const struct option options[] = { +#ifdef __FreeBSD__ + { K(allow_kdc_spoof), true, BOOL (false) }, +#endif /* __FreeBSD__ */ { K(alt_auth_map), true, STRING (NULL) }, { K(anon_fast), true, BOOL (false) }, { K(banner), true, STRING ("Kerberos") },