krb5: Enable PRINC_LOOK_AHEAD in ksu

PRINC_LOOK_AHEAD is the upstream default. Normally ksu determines the
target princiapl by (quoted from the man page)

a. default principal of the source cache

b. target_user@local_realm

c. source_user@local_realm

With PRINC_LOOK_AHEAD emabled, for each candidate in the above
list, select an authorized principal that has the same realm name
and first part of the principal name equal to the prefix of the
candidate. For example if candidate a) is jqpublic@ISI.EDU and
jqpublic/secure@ISI.EDU is authorized to access the target account
then the default principal is set to jqpublic/secure@ISI.EDU.

Case 2: source user is root.

If the target user is non-root then the default principal name
is target_user@local_realm.  Else, if the source cache exists
the default principal name is set to the default principal of
the source cache.  If the source cache does not exist, default
principal name is set to root\@local_realm.

This commit restores the same behaviour as Heimdal ksu.

Reported by:		Dan Mahoney <dmahoney@isc.org>
Requested by:		Dan Mahoney <dmahoney@isc.org>
MFC after:		3 days
MFC to:			15/stable
Differential revision:	 https://reviews.freebsd.org/D52478
This commit is contained in:
Cy Schubert
2025-09-10 13:13:08 -07:00
parent d3f8ed6066
commit b0e7b55a0e
+2 -1
View File
@@ -24,7 +24,8 @@ SRCS= authorization.c \
CFLAGS+=-I${KRB5_DIR}/include \
-I${KRB5_SRCTOP}/include \
-DGET_TGT_VIA_PASSWD
-DGET_TGT_VIA_PASSWD \
-DPRINC_LOOK_AHEAD
MAN= ksu.1