- Update to 1.21.3

* Fix vulnerabilities in GSS message token handling:
    * CVE-2024-37370, bsc#1227186
    * CVE-2024-37371, bsc#1227187
  * Fix a potential bad pointer free in krb5_cccol_have_contents()
  * Fix a memory leak in the macOS ccache type
- Update patch 0009-Fix-three-memory-leaks.patch

OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=289

.gitattributes

@@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text

.gitignore

@@ -0,0 +1 @@
+.osc

0001-ksu-pam-integration.patch

@@ -0,0 +1,776 @@
+From cb49731c07ee57f64bd5a93a182446bc834b9057 Mon Sep 17 00:00:00 2001
+From: Robbie Harwood <rharwood@redhat.com>
+Date: Tue, 23 Aug 2016 16:29:58 -0400
+Subject: [PATCH 1/8] ksu pam integration
+
+Modify ksu so that it performs account and session management on behalf of
+the target user account, mimicking the action of regular su.  The default
+service name is "ksu", because on Fedora at least the configuration used
+is determined by whether or not a login shell is being opened, and so
+this may need to vary, too.  At run-time, ksu's behavior can be reset to
+the earlier, non-PAM behavior by setting "use_pam" to false in the [ksu]
+section of /etc/krb5.conf.
+
+When enabled, ksu gains a dependency on libpam.
+
+Originally RT#5939, though it's changed since then to perform the account
+and session management before dropping privileges, and to apply on top of
+changes we're proposing for how it handles cache collections.
+
+Last-updated: krb5-1.18-beta1
+---
+ src/aclocal.m4              |  68 +++++++
+ src/clients/ksu/Makefile.in |   8 +-
+ src/clients/ksu/main.c      |  88 +++++++-
+ src/clients/ksu/pam.c       | 389 ++++++++++++++++++++++++++++++++++++
+ src/clients/ksu/pam.h       |  57 ++++++
+ src/configure.ac            |   2 +
+ 6 files changed, 609 insertions(+), 3 deletions(-)
+ create mode 100644 src/clients/ksu/pam.c
+ create mode 100644 src/clients/ksu/pam.h
+
+diff --git a/src/aclocal.m4 b/src/aclocal.m4
+index 024d6370c..43eed3b87 100644
+--- a/src/aclocal.m4
++++ b/src/aclocal.m4
+@@ -1677,3 +1677,71 @@ if test "$with_ldap" = yes; then
+   OPENLDAP_PLUGIN=yes
+ fi
+ ])dnl
++dnl
++dnl
++dnl Use PAM instead of local crypt() compare for checking local passwords,
++dnl and perform PAM account, session management, and password-changing where
++dnl appropriate.
++dnl
++AC_DEFUN(KRB5_WITH_PAM,[
++AC_ARG_WITH(pam,[AC_HELP_STRING(--with-pam,[compile with PAM support])],
++	    withpam="$withval",withpam=auto)
++AC_ARG_WITH(pam-ksu-service,[AC_HELP_STRING(--with-ksu-service,[PAM service name for ksu ["ksu"]])],
++	    withksupamservice="$withval",withksupamservice=ksu)
++old_LIBS="$LIBS"
++if test "$withpam" != no ; then
++	AC_MSG_RESULT([checking for PAM...])
++	PAM_LIBS=
++
++	AC_CHECK_HEADERS(security/pam_appl.h)
++	if test "x$ac_cv_header_security_pam_appl_h" != xyes ; then
++		if test "$withpam" = auto ; then
++			AC_MSG_RESULT([Unable to locate security/pam_appl.h.])
++			withpam=no
++		else
++			AC_MSG_ERROR([Unable to locate security/pam_appl.h.])
++		fi
++	fi
++
++	LIBS=
++	unset ac_cv_func_pam_start
++	AC_CHECK_FUNCS(putenv pam_start)
++	if test "x$ac_cv_func_pam_start" = xno ; then
++		unset ac_cv_func_pam_start
++		AC_CHECK_LIB(dl,dlopen)
++		AC_CHECK_FUNCS(pam_start)
++		if test "x$ac_cv_func_pam_start" = xno ; then
++			AC_CHECK_LIB(pam,pam_start)
++			unset ac_cv_func_pam_start
++			unset ac_cv_func_pam_getenvlist
++			AC_CHECK_FUNCS(pam_start pam_getenvlist)
++			if test "x$ac_cv_func_pam_start" = xyes ; then
++				PAM_LIBS="$LIBS"
++			else
++				if test "$withpam" = auto ; then
++					AC_MSG_RESULT([Unable to locate libpam.])
++					withpam=no
++				else
++					AC_MSG_ERROR([Unable to locate libpam.])
++				fi
++			fi
++		fi
++	fi
++	if test "$withpam" != no ; then
++		AC_MSG_NOTICE([building with PAM support])
++		AC_DEFINE(USE_PAM,1,[Define if Kerberos-aware tools should support PAM])
++		AC_DEFINE_UNQUOTED(KSU_PAM_SERVICE,"$withksupamservice",
++				   [Define to the name of the PAM service name to be used by ksu.])
++		PAM_LIBS="$LIBS"
++		NON_PAM_MAN=".\\\" "
++		PAM_MAN=
++	else
++		PAM_MAN=".\\\" "
++		NON_PAM_MAN=
++	fi
++fi
++LIBS="$old_LIBS"
++AC_SUBST(PAM_LIBS)
++AC_SUBST(PAM_MAN)
++AC_SUBST(NON_PAM_MAN)
++])dnl
+diff --git a/src/clients/ksu/Makefile.in b/src/clients/ksu/Makefile.in
+index 8b4edce4d..9d58f29b5 100644
+--- a/src/clients/ksu/Makefile.in
++++ b/src/clients/ksu/Makefile.in
+@@ -3,12 +3,14 @@ BUILDTOP=$(REL)..$(S)..
+ DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/usr/local/sbin /usr/local/bin /sbin /bin /usr/sbin /usr/bin"'
+ 
+ KSU_LIBS=@KSU_LIBS@
++PAM_LIBS=@PAM_LIBS@
+ 
+ SRCS = \
+ 	$(srcdir)/krb_auth_su.c \
+ 	$(srcdir)/ccache.c \
+ 	$(srcdir)/authorization.c \
+ 	$(srcdir)/main.c \
++	$(srcdir)/pam.c \
+ 	$(srcdir)/heuristic.c \
+ 	$(srcdir)/xmalloc.c \
+ 	$(srcdir)/setenv.c
+@@ -17,13 +19,17 @@ OBJS = \
+ 	ccache.o \
+ 	authorization.o \
+ 	main.o \
++	pam.o \
+ 	heuristic.o \
+ 	xmalloc.o @SETENVOBJ@
+ 
+ all: ksu
+ 
+ ksu: $(OBJS) $(KRB5_BASE_DEPLIBS)
+-	$(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS)
++	$(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS) $(PAM_LIBS)
++
++pam.o: pam.c
++	$(CC) $(ALL_CFLAGS) -c $<
+ 
+ clean:
+ 	$(RM) ksu
+diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c
+index af1286172..931f05404 100644
+--- a/src/clients/ksu/main.c
++++ b/src/clients/ksu/main.c
+@@ -26,6 +26,7 @@
+  * KSU was written by:  Ari Medvinsky, ari@isi.edu
+  */
+ 
++#include "autoconf.h"
+ #include "ksu.h"
+ #include "adm_proto.h"
+ #include <sys/types.h>
+@@ -33,6 +34,10 @@
+ #include <signal.h>
+ #include <grp.h>
+ 
++#ifdef USE_PAM
++#include "pam.h"
++#endif
++
+ /* globals */
+ char * prog_name;
+ int auth_debug =0;
+@@ -40,6 +45,7 @@ char k5login_path[MAXPATHLEN];
+ char k5users_path[MAXPATHLEN];
+ char * gb_err = NULL;
+ int quiet = 0;
++int force_fork = 0;
+ /***********/
+ 
+ #define KS_TEMPORARY_CACHE "MEMORY:_ksu"
+@@ -536,6 +542,23 @@ main (argc, argv)
+                prog_name,target_user,client_name,
+                source_user,ontty());
+ 
++#ifdef USE_PAM
++        if (appl_pam_enabled(ksu_context, "ksu")) {
++            if (appl_pam_acct_mgmt(KSU_PAM_SERVICE, 1, target_user, NULL,
++                                   NULL, source_user,
++                                   ttyname(STDERR_FILENO)) != 0) {
++                fprintf(stderr, "Access denied for %s.\n", target_user);
++                exit(1);
++            }
++            if (appl_pam_requires_chauthtok()) {
++                fprintf(stderr, "Password change required for %s.\n",
++                        target_user);
++                exit(1);
++            }
++            force_fork++;
++        }
++#endif
++
+         /* Run authorization as target.*/
+         if (krb5_seteuid(target_uid)) {
+             com_err(prog_name, errno, _("while switching to target for "
+@@ -596,6 +619,24 @@ main (argc, argv)
+ 
+             exit(1);
+         }
++#ifdef USE_PAM
++    } else {
++        /* we always do PAM account management, even for root */
++        if (appl_pam_enabled(ksu_context, "ksu")) {
++            if (appl_pam_acct_mgmt(KSU_PAM_SERVICE, 1, target_user, NULL,
++                                   NULL, source_user,
++                                   ttyname(STDERR_FILENO)) != 0) {
++                fprintf(stderr, "Access denied for %s.\n", target_user);
++                exit(1);
++            }
++            if (appl_pam_requires_chauthtok()) {
++                fprintf(stderr, "Password change required for %s.\n",
++                        target_user);
++                exit(1);
++            }
++            force_fork++;
++        }
++#endif
+     }
+ 
+     if( some_rest_copy){
+@@ -653,6 +694,30 @@ main (argc, argv)
+         exit(1);
+     }
+ 
++#ifdef USE_PAM
++    if (appl_pam_enabled(ksu_context, "ksu")) {
++        if (appl_pam_session_open() != 0) {
++            fprintf(stderr, "Error opening session for %s.\n", target_user);
++            exit(1);
++        }
++#ifdef DEBUG
++        if (auth_debug){
++            printf(" Opened PAM session.\n");
++        }
++#endif
++        if (appl_pam_cred_init()) {
++            fprintf(stderr, "Error initializing credentials for %s.\n",
++                    target_user);
++            exit(1);
++        }
++#ifdef DEBUG
++        if (auth_debug){
++            printf(" Initialized PAM credentials.\n");
++        }
++#endif
++    }
++#endif
++
+     /* set permissions */
+     if (setgid(target_pwd->pw_gid) < 0) {
+         perror("ksu: setgid");
+@@ -750,7 +815,7 @@ main (argc, argv)
+         fprintf(stderr, "program to be execed %s\n",params[0]);
+     }
+ 
+-    if( keep_target_cache ) {
++    if( keep_target_cache && !force_fork ) {
+         execv(params[0], params);
+         com_err(prog_name, errno, _("while trying to execv %s"), params[0]);
+         sweep_up(ksu_context, cc_target);
+@@ -780,16 +845,35 @@ main (argc, argv)
+             if (ret_pid == -1) {
+                 com_err(prog_name, errno, _("while calling waitpid"));
+             }
+-            sweep_up(ksu_context, cc_target);
++            if( !keep_target_cache ) {
++                sweep_up(ksu_context, cc_target);
++            }
+             exit (statusp);
+         case -1:
+             com_err(prog_name, errno, _("while trying to fork."));
+             sweep_up(ksu_context, cc_target);
+             exit (1);
+         case 0:
++#ifdef USE_PAM
++            if (appl_pam_enabled(ksu_context, "ksu")) {
++                if (appl_pam_setenv() != 0) {
++                    fprintf(stderr, "Error setting up environment for %s.\n",
++                            target_user);
++                    exit (1);
++                }
++#ifdef DEBUG
++                if (auth_debug){
++                    printf(" Set up PAM environment.\n");
++                }
++#endif
++            }
++#endif
+             execv(params[0], params);
+             com_err(prog_name, errno, _("while trying to execv %s"),
+                     params[0]);
++            if( keep_target_cache ) {
++                sweep_up(ksu_context, cc_target);
++            }
+             exit (1);
+         }
+     }
+diff --git a/src/clients/ksu/pam.c b/src/clients/ksu/pam.c
+new file mode 100644
+index 000000000..eb5d03bbf
+--- /dev/null
++++ b/src/clients/ksu/pam.c
+@@ -0,0 +1,389 @@
++/*
++ * src/clients/ksu/pam.c
++ *
++ * Copyright 2007,2009,2010 Red Hat, Inc.
++ *
++ * All Rights Reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions are met:
++ *
++ *  Redistributions of source code must retain the above copyright notice, this
++ *  list of conditions and the following disclaimer.
++ *
++ *  Redistributions in binary form must reproduce the above copyright notice,
++ *  this list of conditions and the following disclaimer in the documentation
++ *  and/or other materials provided with the distribution.
++ *
++ *  Neither the name of Red Hat, Inc. nor the names of its contributors may be
++ *  used to endorse or promote products derived from this software without
++ *  specific prior written permission.
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
++ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
++ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
++ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
++ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
++ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
++ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
++ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
++ * POSSIBILITY OF SUCH DAMAGE.
++ *
++ * Convenience wrappers for using PAM.
++ */
++
++#include "autoconf.h"
++#ifdef USE_PAM
++#include <sys/types.h>
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++#include <unistd.h>
++#include "k5-int.h"
++#include "pam.h"
++
++#ifndef MAXPWSIZE
++#define MAXPWSIZE 128
++#endif
++
++static int appl_pam_started;
++static pid_t appl_pam_starter = -1;
++static int appl_pam_session_opened;
++static int appl_pam_creds_initialized;
++static int appl_pam_pwchange_required;
++static pam_handle_t *appl_pamh;
++static struct pam_conv appl_pam_conv;
++static char *appl_pam_user;
++struct appl_pam_non_interactive_args {
++	const char *user;
++	const char *password;
++};
++
++int
++appl_pam_enabled(krb5_context context, const char *section)
++{
++	int enabled = 1;
++	if ((context != NULL) && (context->profile != NULL)) {
++		if (profile_get_boolean(context->profile,
++					section,
++					USE_PAM_CONFIGURATION_KEYWORD,
++					NULL,
++					enabled, &enabled) != 0) {
++			enabled = 1;
++		}
++	}
++	return enabled;
++}
++
++void
++appl_pam_cleanup(void)
++{
++	if (getpid() != appl_pam_starter) {
++		return;
++	}
++#ifdef DEBUG
++	printf("Called to clean up PAM.\n");
++#endif
++	if (appl_pam_creds_initialized) {
++#ifdef DEBUG
++		printf("Deleting PAM credentials.\n");
++#endif
++		pam_setcred(appl_pamh, PAM_DELETE_CRED);
++		appl_pam_creds_initialized = 0;
++	}
++	if (appl_pam_session_opened) {
++#ifdef DEBUG
++		printf("Closing PAM session.\n");
++#endif
++		pam_close_session(appl_pamh, 0);
++		appl_pam_session_opened = 0;
++	}
++	appl_pam_pwchange_required = 0;
++	if (appl_pam_started) {
++#ifdef DEBUG
++		printf("Shutting down PAM.\n");
++#endif
++		pam_end(appl_pamh, 0);
++		appl_pam_started = 0;
++		appl_pam_starter = -1;
++		free(appl_pam_user);
++		appl_pam_user = NULL;
++	}
++}
++static int
++appl_pam_interactive_converse(int num_msg, const struct pam_message **msg,
++			      struct pam_response **presp, void *appdata_ptr)
++{
++	const struct pam_message *message;
++	struct pam_response *resp;
++	int i, code;
++	char *pwstring, pwbuf[MAXPWSIZE];
++	unsigned int pwsize;
++	resp = malloc(sizeof(struct pam_response) * num_msg);
++	if (resp == NULL) {
++		return PAM_BUF_ERR;
++	}
++	memset(resp, 0, sizeof(struct pam_response) * num_msg);
++	code = PAM_SUCCESS;
++	for (i = 0; i < num_msg; i++) {
++		message = &(msg[0][i]); /* XXX */
++		message = msg[i]; /* XXX */
++		pwstring = NULL;
++		switch (message->msg_style) {
++		case PAM_TEXT_INFO:
++		case PAM_ERROR_MSG:
++			printf("[%s]\n", message->msg ? message->msg : "");
++			fflush(stdout);
++			resp[i].resp = NULL;
++			resp[i].resp_retcode = PAM_SUCCESS;
++			break;
++		case PAM_PROMPT_ECHO_ON:
++		case PAM_PROMPT_ECHO_OFF:
++			if (message->msg_style == PAM_PROMPT_ECHO_ON) {
++				if (fgets(pwbuf, sizeof(pwbuf),
++					  stdin) != NULL) {
++					pwbuf[strcspn(pwbuf, "\r\n")] = '\0';
++					pwstring = pwbuf;
++				}
++			} else {
++				pwstring = getpass(message->msg ?
++						   message->msg :
++						   "");
++			}
++			if ((pwstring != NULL) && (pwstring[0] != '\0')) {
++				pwsize = strlen(pwstring);
++				resp[i].resp = malloc(pwsize + 1);
++				if (resp[i].resp == NULL) {
++					resp[i].resp_retcode = PAM_BUF_ERR;
++				} else {
++					memcpy(resp[i].resp, pwstring, pwsize);
++					resp[i].resp[pwsize] = '\0';
++					resp[i].resp_retcode = PAM_SUCCESS;
++				}
++			} else {
++				resp[i].resp_retcode = PAM_CONV_ERR;
++				code = PAM_CONV_ERR;
++			}
++			break;
++		default:
++			break;
++		}
++	}
++	*presp = resp;
++	return code;
++}
++static int
++appl_pam_non_interactive_converse(int num_msg,
++				  const struct pam_message **msg,
++				  struct pam_response **presp,
++				  void *appdata_ptr)
++{
++	const struct pam_message *message;
++	struct pam_response *resp;
++	int i, code;
++	unsigned int pwsize;
++	struct appl_pam_non_interactive_args *args;
++	const char *pwstring;
++	resp = malloc(sizeof(struct pam_response) * num_msg);
++	if (resp == NULL) {
++		return PAM_BUF_ERR;
++	}
++	args = appdata_ptr;
++	memset(resp, 0, sizeof(struct pam_response) * num_msg);
++	code = PAM_SUCCESS;
++	for (i = 0; i < num_msg; i++) {
++		message = &((*msg)[i]);
++		message = msg[i];
++		pwstring = NULL;
++		switch (message->msg_style) {
++		case PAM_TEXT_INFO:
++		case PAM_ERROR_MSG:
++			break;
++		case PAM_PROMPT_ECHO_ON:
++		case PAM_PROMPT_ECHO_OFF:
++			if (message->msg_style == PAM_PROMPT_ECHO_ON) {
++				/* assume "user" */
++				pwstring = args->user;
++			} else {
++				/* assume "password" */
++				pwstring = args->password;
++			}
++			if ((pwstring != NULL) && (pwstring[0] != '\0')) {
++				pwsize = strlen(pwstring);
++				resp[i].resp = malloc(pwsize + 1);
++				if (resp[i].resp == NULL) {
++					resp[i].resp_retcode = PAM_BUF_ERR;
++				} else {
++					memcpy(resp[i].resp, pwstring, pwsize);
++					resp[i].resp[pwsize] = '\0';
++					resp[i].resp_retcode = PAM_SUCCESS;
++				}
++			} else {
++				resp[i].resp_retcode = PAM_CONV_ERR;
++				code = PAM_CONV_ERR;
++			}
++			break;
++		default:
++			break;
++		}
++	}
++	*presp = resp;
++	return code;
++}
++static int
++appl_pam_start(const char *service, int interactive,
++	       const char *login_username,
++	       const char *non_interactive_password,
++	       const char *hostname,
++	       const char *ruser,
++	       const char *tty)
++{
++	static int exit_handler_registered;
++	static struct appl_pam_non_interactive_args args;
++	int ret = 0;
++	if (appl_pam_started &&
++	    (strcmp(login_username, appl_pam_user) != 0)) {
++		appl_pam_cleanup();
++		appl_pam_user = NULL;
++	}
++	if (!appl_pam_started) {
++#ifdef DEBUG
++		printf("Starting PAM up (service=\"%s\",user=\"%s\").\n",
++		       service, login_username);
++#endif
++		memset(&appl_pam_conv, 0, sizeof(appl_pam_conv));
++		appl_pam_conv.conv = interactive ?
++				     &appl_pam_interactive_converse :
++				     &appl_pam_non_interactive_converse;
++		memset(&args, 0, sizeof(args));
++		args.user = strdup(login_username);
++		args.password = non_interactive_password ?
++				strdup(non_interactive_password) :
++				NULL;
++		appl_pam_conv.appdata_ptr = &args;
++		ret = pam_start(service, login_username,
++				&appl_pam_conv, &appl_pamh);
++		if (ret == 0) {
++			if (hostname != NULL) {
++#ifdef DEBUG
++				printf("Setting PAM_RHOST to \"%s\".\n", hostname);
++#endif
++				pam_set_item(appl_pamh, PAM_RHOST, hostname);
++			}
++			if (ruser != NULL) {
++#ifdef DEBUG
++				printf("Setting PAM_RUSER to \"%s\".\n", ruser);
++#endif
++				pam_set_item(appl_pamh, PAM_RUSER, ruser);
++			}
++			if (tty != NULL) {
++#ifdef DEBUG
++				printf("Setting PAM_TTY to \"%s\".\n", tty);
++#endif
++				pam_set_item(appl_pamh, PAM_TTY, tty);
++			}
++			if (!exit_handler_registered &&
++			    (atexit(appl_pam_cleanup) != 0)) {
++				pam_end(appl_pamh, 0);
++				appl_pamh = NULL;
++				ret = -1;
++			} else {
++				appl_pam_started = 1;
++				appl_pam_starter = getpid();
++				appl_pam_user = strdup(login_username);
++				exit_handler_registered = 1;
++			}
++		}
++	}
++	return ret;
++}
++int
++appl_pam_acct_mgmt(const char *service, int interactive,
++		   const char *login_username,
++		   const char *non_interactive_password,
++		   const char *hostname,
++		   const char *ruser,
++		   const char *tty)
++{
++	int ret;
++	appl_pam_pwchange_required = 0;
++	ret = appl_pam_start(service, interactive, login_username,
++			     non_interactive_password, hostname, ruser, tty);
++	if (ret == 0) {
++#ifdef DEBUG
++		printf("Calling pam_acct_mgmt().\n");
++#endif
++		ret = pam_acct_mgmt(appl_pamh, 0);
++		switch (ret) {
++		case PAM_IGNORE:
++			ret = 0;
++			break;
++		case PAM_NEW_AUTHTOK_REQD:
++			appl_pam_pwchange_required = 1;
++			ret = 0;
++			break;
++		default:
++			break;
++		}
++	}
++	return ret;
++}
++int
++appl_pam_requires_chauthtok(void)
++{
++	return appl_pam_pwchange_required;
++}
++int
++appl_pam_session_open(void)
++{
++	int ret = 0;
++	if (appl_pam_started) {
++#ifdef DEBUG
++		printf("Opening PAM session.\n");
++#endif
++		ret = pam_open_session(appl_pamh, 0);
++		if (ret == 0) {
++			appl_pam_session_opened = 1;
++		}
++	}
++	return ret;
++}
++int
++appl_pam_setenv(void)
++{
++	int ret = 0;
++#ifdef HAVE_PAM_GETENVLIST
++#ifdef HAVE_PUTENV
++	int i;
++	char **list;
++	if (appl_pam_started) {
++		list = pam_getenvlist(appl_pamh);
++		for (i = 0; ((list != NULL) && (list[i] != NULL)); i++) {
++#ifdef DEBUG
++			printf("Setting \"%s\" in environment.\n", list[i]);
++#endif
++			putenv(list[i]);
++		}
++	}
++#endif
++#endif
++	return ret;
++}
++int
++appl_pam_cred_init(void)
++{
++	int ret = 0;
++	if (appl_pam_started) {
++#ifdef DEBUG
++		printf("Initializing PAM credentials.\n");
++#endif
++		ret = pam_setcred(appl_pamh, PAM_ESTABLISH_CRED);
++		if (ret == 0) {
++			appl_pam_creds_initialized = 1;
++		}
++	}
++	return ret;
++}
++#endif
+diff --git a/src/clients/ksu/pam.h b/src/clients/ksu/pam.h
+new file mode 100644
+index 000000000..d45b9fd84
+--- /dev/null
++++ b/src/clients/ksu/pam.h
+@@ -0,0 +1,57 @@
++/*
++ * src/clients/ksu/pam.h
++ *
++ * Copyright 2007,2009,2010 Red Hat, Inc.
++ *
++ * All Rights Reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions are met:
++ *
++ *  Redistributions of source code must retain the above copyright notice, this
++ *  list of conditions and the following disclaimer.
++ *
++ *  Redistributions in binary form must reproduce the above copyright notice,
++ *  this list of conditions and the following disclaimer in the documentation
++ *  and/or other materials provided with the distribution.
++ *
++ *  Neither the name of Red Hat, Inc. nor the names of its contributors may be
++ *  used to endorse or promote products derived from this software without
++ *  specific prior written permission.
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
++ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
++ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
++ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
++ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
++ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
++ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
++ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
++ * POSSIBILITY OF SUCH DAMAGE.
++ *
++ * Convenience wrappers for using PAM.
++ */
++
++#include <krb5.h>
++#ifdef HAVE_SECURITY_PAM_APPL_H
++#include <security/pam_appl.h>
++#endif
++
++#define USE_PAM_CONFIGURATION_KEYWORD "use_pam"
++
++#ifdef USE_PAM
++int appl_pam_enabled(krb5_context context, const char *section);
++int appl_pam_acct_mgmt(const char *service, int interactive,
++		       const char *local_username,
++		       const char *non_interactive_password,
++		       const char *hostname,
++		       const char *ruser,
++		       const char *tty);
++int appl_pam_requires_chauthtok(void);
++int appl_pam_session_open(void);
++int appl_pam_setenv(void);
++int appl_pam_cred_init(void);
++void appl_pam_cleanup(void);
++#endif
+diff --git a/src/configure.ac b/src/configure.ac
+index 4eb080784..693f76a81 100644
+--- a/src/configure.ac
++++ b/src/configure.ac
+@@ -1389,6 +1389,8 @@ AC_SUBST([VERTO_VERSION])
+ 
+ AC_PATH_PROG(GROFF, groff)
+ 
++KRB5_WITH_PAM
++
+ # Make localedir work in autoconf 2.5x.
+ if test "${localedir+set}" != set; then
+     localedir='$(datadir)/locale'
+-- 
+2.30.0
+

0002-krb5-1.9-manpaths.patch

@@ -0,0 +1,28 @@
+From 852d6a0d81b21673bdcb80ff13bf60dd5a416dd4 Mon Sep 17 00:00:00 2001
+From: Samuel Cabrero <scabrero@suse.de>
+Date: Mon, 14 Jan 2019 13:06:55 +0100
+Subject: [PATCH 2/8] krb5-1.9-manpaths
+
+Import krb5-1.9-manpaths.dif
+
+Change the absolute paths included in the man pages so that the correct
+values can be dropped in by config.status.  After applying this patch,
+these files should be renamed to their ".in" counterparts, and then the
+configure scripts should be rebuilt.  Originally RT#6525
+---
+ src/man/kpropd.man | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: krb5-1.19.3/src/man/kpropd.man
+===================================================================
+--- krb5-1.19.3.orig/src/man/kpropd.man
++++ krb5-1.19.3/src/man/kpropd.man
+@@ -68,7 +68,7 @@ the \fB/etc/inetd.conf\fP file which loo
+ .sp
+ .nf
+ .ft C
+-kprop  stream  tcp  nowait  root  /usr/local/sbin/kpropd  kpropd
++kprop  stream  tcp  nowait  root  @SBINDIR@/kpropd  kpropd
+ .ft P
+ .fi
+ .UNINDENT

0003-Adjust-build-configuration.patch

@@ -0,0 +1,72 @@
+From 48abdf7c7b28611c1135b35dfa23ac61899e80b2 Mon Sep 17 00:00:00 2001
+From: Robbie Harwood <rharwood@redhat.com>
+Date: Tue, 23 Aug 2016 16:45:26 -0400
+Subject: [PATCH 3/8] Adjust build configuration
+
+Build binaries in this package as RELRO PIEs, libraries as partial RELRO,
+and install shared libraries with the execute bit set on them.  Prune out
+the -L/usr/lib* and PIE flags where they might leak out and affect
+apps which just want to link with the libraries. FIXME: needs to check and
+not just assume that the compiler supports using these flags.
+
+Last-updated: krb5-1.15-beta1
+---
+ src/build-tools/krb5-config.in | 7 +++++++
+ src/config/pre.in              | 2 +-
+ src/config/shlib.conf          | 5 +++--
+ 3 files changed, 11 insertions(+), 3 deletions(-)
+
+Index: krb5-1.19.3/src/build-tools/krb5-config.in
+===================================================================
+--- krb5-1.19.3.orig/src/build-tools/krb5-config.in
++++ krb5-1.19.3/src/build-tools/krb5-config.in
+@@ -224,6 +224,13 @@ if test -n "$do_libs"; then
+ 	    -e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \
+ 	    -e 's#\$(CFLAGS)##'`
+ 
++    if test `dirname $libdir` = /usr ; then
++        lib_flags=`echo $lib_flags | sed -e "s#-L$libdir##" -e "s#$RPATH_FLAG$libdir##"`
++    fi
++    lib_flags=`echo $lib_flags | sed -e "s#-fPIE##g" -e "s#-pie##g"`
++    lib_flags=`echo $lib_flags | sed -e "s#-Wl,-z,relro##g"`
++    lib_flags=`echo $lib_flags | sed -e "s#-Wl,-z,now##g"`
++
+     if test $library = 'kdb'; then
+ 	lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB"
+ 	library=krb5
+Index: krb5-1.19.3/src/config/pre.in
+===================================================================
+--- krb5-1.19.3.orig/src/config/pre.in
++++ krb5-1.19.3/src/config/pre.in
+@@ -184,7 +184,7 @@ INSTALL_PROGRAM=@INSTALL_PROGRAM@ $(INST
+ INSTALL_SCRIPT=@INSTALL_PROGRAM@
+ INSTALL_DATA=@INSTALL_DATA@
+ INSTALL_SHLIB=@INSTALL_SHLIB@
+-INSTALL_SETUID=$(INSTALL) $(INSTALL_STRIP) -m 4755 -o root
++INSTALL_SETUID=$(INSTALL) $(INSTALL_STRIP) -m 4755
+ ## This is needed because autoconf will sometimes define @exec_prefix@ to be
+ ## ${prefix}.
+ prefix=@prefix@
+Index: krb5-1.19.3/src/config/shlib.conf
+===================================================================
+--- krb5-1.19.3.orig/src/config/shlib.conf
++++ krb5-1.19.3/src/config/shlib.conf
+@@ -424,7 +424,7 @@ mips-*-netbsd*)
+ 	# Linux ld doesn't default to stuffing the SONAME field...
+ 	# Use objdump -x to examine the fields of the library
+ 	# UNDEF_CHECK is suppressed by --enable-asan
+-	LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT) $(UNDEF_CHECK)'
++	LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT) $(UNDEF_CHECK)  -Wl,-z,relro -Wl,--warn-shared-textrel'
+ 	UNDEF_CHECK='-Wl,--no-undefined'
+ 	# $(EXPORT_CHECK) runs export-check.pl when in maintainer mode.
+ 	LDCOMBINE_TAIL='-Wl,--version-script binutils.versions $(EXPORT_CHECK)'
+@@ -436,7 +436,8 @@ mips-*-netbsd*)
+ 	SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
+ 	PROFFLAGS=-pg
+ 	PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)'
+-	CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)'
++	CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) -pie -Wl,-z,relro -Wl,-z,now $(LDFLAGS)'
++	INSTALL_SHLIB='${INSTALL} -m755'
+ 	CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)'
+ 	CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)'
+ 	CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)'

0004-krb5-1.6.3-gssapi_improve_errormessages.patch

@@ -0,0 +1,26 @@
+From c1b8aa3d8546453544fd659ef18b96709eb88e54 Mon Sep 17 00:00:00 2001
+From: Samuel Cabrero <scabrero@suse.de>
+Date: Mon, 14 Jan 2019 13:09:05 +0100
+Subject: [PATCH 4/8] krb5-1.6.3-gssapi_improve_errormessages
+
+Import krb5-1.6.3-gssapi_improve_errormessages.dif
+---
+ src/lib/gssapi/generic/disp_com_err_status.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/lib/gssapi/generic/disp_com_err_status.c b/src/lib/gssapi/generic/disp_com_err_status.c
+index bc416107e..22612f970 100644
+--- a/src/lib/gssapi/generic/disp_com_err_status.c
++++ b/src/lib/gssapi/generic/disp_com_err_status.c
+@@ -52,7 +52,7 @@ g_display_com_err_status(OM_uint32 *minor_status, OM_uint32 status_value,
+     status_string->value = NULL;
+ 
+     if (! g_make_string_buffer(((status_value == 0)?no_error:
+-                                error_message(status_value)),
++                                error_message((long)status_value)),
+                                status_string)) {
+         *minor_status = ENOMEM;
+         return(GSS_S_FAILURE);
+-- 
+2.25.0
+

0005-krb5-1.6.3-ktutil-manpage.patch

@@ -0,0 +1,33 @@
+From 2a5b2877495384bbe5db8f3b66ac342f83cd45dc Mon Sep 17 00:00:00 2001
+From: Samuel Cabrero <scabrero@suse.de>
+Date: Mon, 14 Jan 2019 13:14:47 +0100
+Subject: [PATCH 5/8] krb5-1.6.3-ktutil-manpage
+
+Import krb5-1.6.3-ktutil-manpage.dif
+---
+ src/man/ktutil.man | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+Index: krb5-1.19.3/src/man/ktutil.man
+===================================================================
+--- krb5-1.19.3.orig/src/man/ktutil.man
++++ krb5-1.19.3/src/man/ktutil.man
+@@ -153,6 +153,18 @@ ktutil:
+ .sp
+ See kerberos(7) for a description of Kerberos environment
+ variables.
++.SH REMARKS
++Changes to the keytab are appended to the keytab file (i.e., the keytab file
++is never overwritten).  To directly modify a keytab, save the changes to a
++temporary file and then overwrite the keytab file of interest.
++.TP
++.nf
++Example:
++ktutil> rkt /etc/krb5.keytab
++(modifications to keytab)
++ktutil> wkt /tmp/krb5.newtab
++ktutil> q
++# mv /tmp/krb5.newtab /etc/krb5.keytab
+ .SH SEE ALSO
+ .sp
+ kadmin(1), kdb5_util(8), kerberos(7)

0006-krb5-1.12-api.patch

@@ -0,0 +1,42 @@
+From b8544a75b273008042fadf51f0b49c00617ff275 Mon Sep 17 00:00:00 2001
+From: Samuel Cabrero <scabrero@suse.de>
+Date: Mon, 14 Jan 2019 13:15:50 +0100
+Subject: [PATCH 6/8] krb5-1.12-api
+
+Import krb5-1.12-api.patch
+
+Reference docs don't define what happens if you call krb5_realm_compare() with
+malformed krb5_principal structures.  Define a behavior which keeps it from
+crashing if applications don't check ahead of time.
+---
+ src/lib/krb5/krb/princ_comp.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/src/lib/krb5/krb/princ_comp.c b/src/lib/krb5/krb/princ_comp.c
+index a6936107d..0ed78833b 100644
+--- a/src/lib/krb5/krb/princ_comp.c
++++ b/src/lib/krb5/krb/princ_comp.c
+@@ -36,6 +36,10 @@ realm_compare_flags(krb5_context context,
+     const krb5_data *realm1 = &princ1->realm;
+     const krb5_data *realm2 = &princ2->realm;
+ 
++    if (princ1 == NULL || princ2 == NULL)
++        return FALSE;
++    if (realm1 == NULL || realm2 == NULL)
++        return FALSE;
+     if (realm1->length != realm2->length)
+         return FALSE;
+     if (realm1->length == 0)
+@@ -88,6 +92,9 @@ krb5_principal_compare_flags(krb5_context context,
+     krb5_principal upn2 = NULL;
+     krb5_boolean ret = FALSE;
+ 
++    if (princ1 == NULL || princ2 == NULL)
++        return FALSE;
++
+     if (flags & KRB5_PRINCIPAL_COMPARE_ENTERPRISE) {
+         /* Treat UPNs as if they were real principals */
+         if (princ1->type == KRB5_NT_ENTERPRISE_PRINCIPAL) {
+-- 
+2.25.0
+

0008-krb5-1.9-debuginfo.patch

@@ -0,0 +1,44 @@
+From f079a7f765dc76eb01ba80fb7214ee0d25116e59 Mon Sep 17 00:00:00 2001
+From: Samuel Cabrero <scabrero@suse.de>
+Date: Mon, 14 Jan 2019 13:18:16 +0100
+Subject: [PATCH 8/8] krb5-1.9-debuginfo
+
+Import krb5-1.9-debuginfo.patch
+
+We want to keep these y.tab.c files around because the debuginfo points to
+them.  It would be more elegant at the end to use symbolic links, but that
+could mess up people working in the tree on other things.
+---
+ src/kadmin/cli/Makefile.in                 | 5 +++++
+ src/plugins/kdb/ldap/ldap_util/Makefile.in | 2 +-
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/kadmin/cli/Makefile.in b/src/kadmin/cli/Makefile.in
+index adfea6e2b..8e89cf03b 100644
+--- a/src/kadmin/cli/Makefile.in
++++ b/src/kadmin/cli/Makefile.in
+@@ -37,3 +37,8 @@ clean-unix::
+ # CC_LINK is not meant for compilation and this use may break in the future.
+ datetest: getdate.c
+ 	$(CC_LINK) $(ALL_CFLAGS) -DTEST -o datetest getdate.c
++
++%.c: %.y
++	$(RM) y.tab.c $@
++	$(YACC.y) $<
++	$(CP) y.tab.c $@
+diff --git a/src/plugins/kdb/ldap/ldap_util/Makefile.in b/src/plugins/kdb/ldap/ldap_util/Makefile.in
+index 8669c2436..a22f23c02 100644
+--- a/src/plugins/kdb/ldap/ldap_util/Makefile.in
++++ b/src/plugins/kdb/ldap/ldap_util/Makefile.in
+@@ -20,7 +20,7 @@ $(PROG): $(OBJS) $(KADMSRV_DEPLIBS) $(KRB5_BASE_DEPLIB) $(GETDATE)
+ getdate.c: $(GETDATE)
+ 	$(RM) getdate.c y.tab.c
+ 	$(YACC) $(GETDATE)
+-	$(MV) y.tab.c getdate.c
++	$(CP) y.tab.c getdate.c
+ 
+ install:
+ 	$(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(ADMIN_BINDIR)/$(PROG)
+-- 
+2.25.0
+

0009-Fix-three-memory-leaks.patch

@@ -0,0 +1,205 @@
+From 489deee29f427f22e2a26de729319bdb70819c37 Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Tue, 5 Mar 2024 19:53:07 -0500
+Subject: [PATCH 2/2] Fix two unlikely memory leaks
+
+In gss_krb5int_make_seal_token_v3(), one of the bounds checks (which
+could probably never be triggered) leaks plain.data.  Fix this leak
+and use current practices for cleanup throughout the function.
+
+In xmt_rmtcallres() (unused within the tree and likely elsewhere),
+store port_ptr into crp->port_ptr as soon as it is allocated;
+otherwise it could leak if the subsequent xdr_u_int32() operation
+fails.
+
+(cherry picked from commit c5f9c816107f70139de11b38aa02db2f1774ee0d)
+---
+ src/lib/gssapi/krb5/k5sealv3.c | 56 +++++++++++++++-------------------
+ src/lib/rpc/pmap_rmt.c         |  9 +++---
+ 2 files changed, 29 insertions(+), 36 deletions(-)
+
+diff --git a/src/lib/gssapi/krb5/k5sealv3.c b/src/lib/gssapi/krb5/k5sealv3.c
+index 3b4f8cb837..e881eee835 100644
+--- a/src/lib/gssapi/krb5/k5sealv3.c
++++ b/src/lib/gssapi/krb5/k5sealv3.c
+@@ -65,7 +65,7 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
+                                 int conf_req_flag, int toktype)
+ {
+     size_t bufsize = 16;
+-    unsigned char *outbuf = 0;
++    unsigned char *outbuf = NULL;
+     krb5_error_code err;
+     int key_usage;
+     unsigned char acceptor_flag;
+@@ -75,9 +75,13 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
+ #endif
+     size_t ec;
+     unsigned short tok_id;
+-    krb5_checksum sum;
++    krb5_checksum sum = { 0 };
+     krb5_key key;
+     krb5_cksumtype cksumtype;
++    krb5_data plain = empty_data();
++
++    token->value = NULL;
++    token->length = 0;
+ 
+     acceptor_flag = ctx->initiate ? 0 : FLAG_SENDER_IS_ACCEPTOR;
+     key_usage = (toktype == KG_TOK_WRAP_MSG
+@@ -107,14 +111,15 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
+ #endif
+ 
+     if (toktype == KG_TOK_WRAP_MSG && conf_req_flag) {
+-        krb5_data plain;
+         krb5_enc_data cipher;
+         size_t ec_max;
+         size_t encrypt_size;
+ 
+         /* 300: Adds some slop.  */
+-        if (SIZE_MAX - 300 < message->length)
+-            return ENOMEM;
++        if (SIZE_MAX - 300 < message->length) {
++            err = ENOMEM;
++            goto cleanup;
++        }
+         ec_max = SIZE_MAX - message->length - 300;
+         if (ec_max > 0xffff)
+             ec_max = 0xffff;
+@@ -126,20 +131,20 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
+ #endif
+         err = alloc_data(&plain, message->length + 16 + ec);
+         if (err)
+-            return err;
++            goto cleanup;
+ 
+         /* Get size of ciphertext.  */
+         encrypt_size = krb5_encrypt_size(plain.length, key->keyblock.enctype);
+         if (encrypt_size > SIZE_MAX / 2) {
+             err = ENOMEM;
+-            goto error;
++            goto cleanup;
+         }
+         bufsize = 16 + encrypt_size;
+         /* Allocate space for header plus encrypted data.  */
+         outbuf = gssalloc_malloc(bufsize);
+         if (outbuf == NULL) {
+-            free(plain.data);
+-            return ENOMEM;
++            err = ENOMEM;
++            goto cleanup;
+         }
+ 
+         /* TOK_ID */
+@@ -164,11 +169,8 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
+         cipher.ciphertext.length = bufsize - 16;
+         cipher.enctype = key->keyblock.enctype;
+         err = krb5_k_encrypt(context, key, key_usage, 0, &plain, &cipher);
+-        zap(plain.data, plain.length);
+-        free(plain.data);
+-        plain.data = 0;
+         if (err)
+-            goto error;
++            goto cleanup;
+ 
+         /* Now that we know we're returning a valid token....  */
+         ctx->seq_send++;
+@@ -181,7 +183,6 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
+         /* If the rotate fails, don't worry about it.  */
+ #endif
+     } else if (toktype == KG_TOK_WRAP_MSG && !conf_req_flag) {
+-        krb5_data plain;
+         size_t cksumsize;
+ 
+         /* Here, message is the application-supplied data; message2 is
+@@ -193,21 +194,19 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
+     wrap_with_checksum:
+         err = alloc_data(&plain, message->length + 16);
+         if (err)
+-            return err;
++            goto cleanup;
+ 
+         err = krb5_c_checksum_length(context, cksumtype, &cksumsize);
+         if (err)
+-            goto error;
++            goto cleanup;
+ 
+         assert(cksumsize <= 0xffff);
+ 
+         bufsize = 16 + message2->length + cksumsize;
+         outbuf = gssalloc_malloc(bufsize);
+         if (outbuf == NULL) {
+-            free(plain.data);
+-            plain.data = 0;
+             err = ENOMEM;
+-            goto error;
++            goto cleanup;
+         }
+ 
+         /* TOK_ID */
+@@ -239,23 +238,15 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
+         if (message2->length)
+             memcpy(outbuf + 16, message2->value, message2->length);
+ 
+-        sum.contents = outbuf + 16 + message2->length;
+-        sum.length = cksumsize;
+-
+         err = krb5_k_make_checksum(context, cksumtype, key,
+                                    key_usage, &plain, &sum);
+-        zap(plain.data, plain.length);
+-        free(plain.data);
+-        plain.data = 0;
+         if (err) {
+             zap(outbuf,bufsize);
+-            goto error;
++            goto cleanup;
+         }
+         if (sum.length != cksumsize)
+             abort();
+         memcpy(outbuf + 16 + message2->length, sum.contents, cksumsize);
+-        krb5_free_checksum_contents(context, &sum);
+-        sum.contents = 0;
+         /* Now that we know we're actually generating the token...  */
+         ctx->seq_send++;
+ 
+@@ -285,12 +276,13 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
+ 
+     token->value = outbuf;
+     token->length = bufsize;
+-    return 0;
++    outbuf = NULL;
++    err = 0;
+ 
+-error:
++cleanup:
++    krb5_free_checksum_contents(context, &sum);
++    zapfree(plain.data, plain.length);
+     gssalloc_free(outbuf);
+-    token->value = NULL;
+-    token->length = 0;
+     return err;
+ }
+ 
+diff --git a/src/lib/rpc/pmap_rmt.c b/src/lib/rpc/pmap_rmt.c
+index 8c7e30c21a..0748af34a7 100644
+--- a/src/lib/rpc/pmap_rmt.c
++++ b/src/lib/rpc/pmap_rmt.c
+@@ -160,11 +160,12 @@ xdr_rmtcallres(
+ 	caddr_t port_ptr;
+ 
+ 	port_ptr = (caddr_t)(void *)crp->port_ptr;
+-	if (xdr_reference(xdrs, &port_ptr, sizeof (uint32_t),
+-	    xdr_u_int32) && xdr_u_int32(xdrs, &crp->resultslen)) {
+-		crp->port_ptr = (uint32_t *)(void *)port_ptr;
++	if (!xdr_reference(xdrs, &port_ptr, sizeof (uint32_t),
++			   (xdrproc_t)xdr_u_int32))
++		return (FALSE);
++	crp->port_ptr = (uint32_t *)(void *)port_ptr;
++	if (xdr_u_int32(xdrs, &crp->resultslen))
+ 		return ((*(crp->xdr_results))(xdrs, crp->results_ptr));
+-	}
+ 	return (FALSE);
+ }
+ 
+-- 
+2.44.0
+

_multibuild

@@ -0,0 +1,4 @@
+<multibuild>
+  <package>krb5-mini</package>
+</multibuild>
+

baselibs.conf

@@ -0,0 +1,4 @@
+krb5
+  obsoletes "heimdal-lib-<targettype>"
+  provides  "heimdal-lib-<targettype>"
+krb5-devel

krb5-1.21.2.tar.gz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEExEk8tzn0qJ+YUsvCDLoIV1+Dct8FAmTbET4ACgkQDLoIV1+D
+ct8zBQ/+LugwKy9Y9b3lVaLxPM/qxntLi4Bq5C2GVQ+bED7YCvUiL8aIzJbuTVpf
+GLWLtVuf6vxKz2V17JKOluVMqRDBZDexHZv9EvVjhanqMpvV32tSa60HF4e7lER+
+3iP/bIjSi2U9ixOcNICNnK2DeFGY601C1KT4cLs3H76pfb1miPItm7p79UNicz1o
+V6KgG0J5F4ktYiTonb0TXYdCAvY/3ROEYwmmRpCjtkBCzTdr9tVXU0n6Yc0wsfBD
+AXkyqlUhisMWxqGrLZMnkIx3LA83nMHG8nY/doqOYzKuE9a4cBe69+Bl6e9NRY7G
+ysD2J1cZ2imCYoalUcxrLfnd3fwPpcrlnuwH5DKJtcJGEUNwydjyWZeMl87pbhb1
+lOggcn8DL6l3vqBpkTBE4IQw3s+B1+BylpjXBsvzxGYHerpffIqsHzHywguiJutT
+bkP5ktjZ0QHAZ6PYA6NleGjPbBg/Jeywg1Mjrx+2IdBAYnS0KtTSa72Zqqb8eGmQ
+iCVpy9gK7zX7UCLm33M6HVtC9ffJ4vajcShk25u8uKuomTQgK3lGoN0wX55OE+sO
+AkMSuFxPNsNheMI53Zjutc4NzEscy09G8VxHwGqcEwD+NF7+2GpPuOq9ot9nH+Jd
+xoVYjhqxeb5Uq6lgp0B8sILLqwg1+gEXWdA+rR5Tx+ykv8HESxg=
+=aMVp
+-----END PGP SIGNATURE-----

krb5-1.21.3.tar.gz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEExEk8tzn0qJ+YUsvCDLoIV1+Dct8FAmZ8eHkACgkQDLoIV1+D
+ct//gw//bmvy6zXbKL6epNaExVgRdqzfQWm6WqeyGNxg59BQyJwsRsArsQRbSTZl
+uUExbV4HDTI/SemnYT8MfNOUtGZBCcAMYUr79Zmwi9S2pc30ZHIGcOf5E7HvIj6y
+ZZUvddoxWvxpruCuJHb9dP4ZUPE0iU2rJnLsXR/H4E574WlrWBjXu3gimLen7+yg
+aCLxIvw6lk4f/X8l+aqbK+haWHwMnca+kWSPbmL2iblHVqmoJVEmWhy7/9WjiT5S
+5HhDJIObO2qn1pbE1ZTQqfGOfFgOUVxTl2myMxX1RXEDVFzdLDdnoUJRt4o4GG27
+Y0WfLtmN6NisVF91dkl2+F7js+xVI3m9uZnpeccKO2Uq6BQRrfOMWUAHVKMUJZjh
+h0GMeTzOhw7qGKitAiuhauyDMMTgMx78bC0DpLYtq24fp7BSvD0jNZnfjUXVCk8D
+al9cfxC5m843aKiJ01Of13PziZsTQFz/TUsOrcpx4h7+qY7nldrovkQBiyVbbtn4
+MncYq8d84G/0vsbJ/6ftJ6Y+OL20jyzfC5xgmKtK/y1D987aum2BSudISUCylOOt
+j5/KiTRe0rWUjBNtoCjrtw4xlSbygmjuiE/xtcow0CHXDtMjlo8PrDi8W+xccBv2
+zQ2B+e9ywkF4uC/M91s/bVSMkOtxv2JCoUUHOMF4ku5vzKSOhyk=
+=TH0A
+-----END PGP SIGNATURE-----

krb5-mini.spec

@@ -0,0 +1,361 @@
+#
+# spec file for package krb5-mini
+#
+# Copyright (c) 2024 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+
+%define srcRoot krb5-%{version}
+%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
+%define krb5docdir  %{_defaultdocdir}/krb5
+#Compat macro for new _fillupdir macro introduced in Nov 2017
+%if ! %{defined _fillupdir}
+  %define _fillupdir %{_localstatedir}/adm/fillup-templates
+%endif
+Name:           krb5-mini
+Version:        1.21.3
+Release:        0
+Summary:        MIT Kerberos5 implementation and libraries with minimal dependencies
+License:        MIT
+URL:            https://kerberos.org/dist/
+Source0:        https://kerberos.org/dist/krb5/1.21/krb5-%{version}.tar.gz
+Source1:        https://kerberos.org/dist/krb5/1.21/krb5-%{version}.tar.gz.asc
+Source2:        krb5.keyring
+Source3:        vendor-files.tar.bz2
+Source4:        baselibs.conf
+Source5:        krb5-rpmlintrc
+Source6:        krb5.tmpfiles
+Patch1:         0001-ksu-pam-integration.patch
+Patch2:         0002-krb5-1.9-manpaths.patch
+Patch3:         0003-Adjust-build-configuration.patch
+Patch4:         0004-krb5-1.6.3-gssapi_improve_errormessages.patch
+Patch5:         0005-krb5-1.6.3-ktutil-manpage.patch
+Patch6:         0006-krb5-1.12-api.patch
+Patch7:         0007-SELinux-integration.patch
+Patch8:         0008-krb5-1.9-debuginfo.patch
+Patch9:         0009-Fix-three-memory-leaks.patch
+BuildRequires:  autoconf
+BuildRequires:  bison
+BuildRequires:  pkgconfig
+BuildRequires:  pkgconfig(com_err)
+BuildRequires:  pkgconfig(libselinux)
+BuildRequires:  pkgconfig(libverto)
+BuildRequires:  pkgconfig(ncurses)
+%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
+BuildRequires:  crypto-policies
+Requires:       crypto-policies
+%endif
+Requires(post): %fillup_prereq
+Requires:       this-is-only-for-build-envs
+Conflicts:      krb5
+Conflicts:      krb5-client
+Conflicts:      krb5-mini
+Conflicts:      krb5-plugin-kdb-ldap
+Conflicts:      krb5-plugin-preauth-otp
+Conflicts:      krb5-plugin-preauth-pkinit
+Conflicts:      krb5-server
+Obsoletes:      krb5-plugin-preauth-pkinit-nss
+
+%description
+Kerberos V5 is a trusted-third-party network authentication system,
+which can improve network security by eliminating the insecure
+practice of clear text passwords.
+The package delivers MIT Kerberos with reduced features and minimal
+dependencies
+
+%package devel
+Summary:        Development files for MIT Kerberos5 (openSUSE mini variant)
+Requires:       %{name} = %{version}
+Requires:       pkgconfig(com_err)
+Requires:       pkgconfig(libverto)
+Requires:       pkgconfig(ss)
+Conflicts:      krb5-devel
+Provides:       krb5-devel = %{version}
+Requires:       this-is-only-for-build-envs
+
+%description devel
+Kerberos V5 is a trusted-third-party network authentication system,
+which can improve network security by eliminating the insecure
+practice of cleartext passwords. This package includes Libraries and
+Include Files for Development
+
+%prep
+%setup -q -n %{srcRoot}
+%setup -q -a 3 -T -D -n %{srcRoot}
+%autopatch -p1
+
+%build
+# needs to be re-generated
+rm -f src/lib/krb5/krb/deltat.c
+cd src
+autoreconf -fi
+DEFCCNAME=DIR:/run/user/%%{uid}/krb5cc; export DEFCCNAME
+# FIXME: you should use the %%configure macro
+%configure \
+        CFLAGS="%{optflags} -I%{_includedir}/et -fno-strict-aliasing -D_GNU_SOURCE -fPIC $(getconf LFS_CFLAGS)" \
+        CPPFLAGS="-I%{_includedir}/et " \
+        SS_LIB="-lss" \
+    --sysconfdir=%{_sysconfdir} \
+    --mandir=%{_mandir} \
+    --infodir=%{_infodir} \
+    --libdir=%{_libdir} \
+    --includedir=%{_includedir} \
+    --localstatedir=%{_localstatedir}/lib/kerberos \
+    --localedir=%{_datadir}/locale \
+    --enable-shared \
+    --disable-static \
+    --enable-dns-for-realm \
+    --disable-rpath \
+    --disable-pkinit \
+    --without-pam \
+    --with-selinux \
+    --with-system-et \
+    --with-system-ss \
+    --with-system-verto
+
+%make_build
+
+# Copy kadmin manual page into kadmin.local's due to the split between client and server package
+cp man/kadmin.man man/kadmin.local.8
+
+%install
+mkdir -p %{buildroot}/%{_localstatedir}/log/krb5
+%make_install -C src
+# Munge krb5-config yet again.  This is totally wrong for 64-bit, but chunks
+# of the buildconf patch already conspire to strip out /usr/<anything> from the
+# list of link flags, and it helps prevent file conflicts on multilib systems.
+sed -r -i -e 's|^libdir=%{_prefix}/lib(64)?$|libdir=%{_prefix}/lib|g' %{buildroot}%{_bindir}/krb5-config
+
+# install autoconf macro
+mkdir -p %{buildroot}/%{_datadir}/aclocal
+install -m 644 src/util/ac_check_krb5.m4 %{buildroot}%{_datadir}/aclocal/
+# install sample config files
+# I'll probably do something about this later on
+mkdir -p %{buildroot}%{_sysconfdir}
+mkdir -p %{buildroot}%{_sysconfdir}/krb5.conf.d
+mkdir -p %{buildroot}%{_localstatedir}/log/krb5
+# create plugin directories
+mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/kdb
+mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/preauth
+mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/libkrb5
+mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/tls
+install -m 644 %{vendorFiles}/krb5.conf %{buildroot}%{_sysconfdir}
+
+# Do not write directly to /var/lib/kerberos anymore as it breaks transactional
+# updates. Use systemd-tmpfiles to copy the files there when it doesn't exist
+install -d -m 0755 %{buildroot}%{_tmpfilesdir}
+install -m 644 %{SOURCE6} %{buildroot}%{_tmpfilesdir}/krb5.conf
+mkdir -p %{buildroot}/%{_datadir}/kerberos/krb5kdc
+# Where per-user keytabs live by default.
+mkdir -p %{buildroot}/%{_datadir}/kerberos/krb5/user
+install -m 600 %{vendorFiles}/kdc.conf %{buildroot}%{_datadir}/kerberos/krb5kdc/
+install -m 600 %{vendorFiles}/kadm5.acl %{buildroot}%{_datadir}/kerberos/krb5kdc/
+install -m 600 %{vendorFiles}/kadm5.dict %{buildroot}%{_datadir}/kerberos/krb5kdc/
+
+%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
+# Default include on this directory
+ln -sv %{_sysconfdir}/crypto-policies/back-ends/krb5.config %{buildroot}%{_sysconfdir}/krb5.conf.d/crypto-policies
+%endif
+
+# all libs must have permissions 0755
+for lib in `find %{buildroot}/%{_libdir}/ -type f -name "*.so*"`
+do
+  chmod 0755 ${lib}
+done
+# and binaries too
+chmod 0755 %{buildroot}%{_bindir}/ksu
+# install systemd files
+mkdir -p %{buildroot}%{_unitdir}
+install -m 644 %{vendorFiles}/kadmind.service %{buildroot}%{_unitdir}
+install -m 644 %{vendorFiles}/krb5kdc.service %{buildroot}%{_unitdir}
+install -m 644 %{vendorFiles}/kpropd.service %{buildroot}%{_unitdir}
+# install sysconfig templates
+mkdir -p %{buildroot}/%{_fillupdir}
+install -m 644 %{vendorFiles}/sysconfig.kadmind %{buildroot}/%{_fillupdir}/
+install -m 644 %{vendorFiles}/sysconfig.krb5kdc %{buildroot}/%{_fillupdir}/
+# install logrotate files
+mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d
+install -m 644 %{vendorFiles}/krb5-server.logrotate %{buildroot}%{_sysconfdir}/logrotate.d/krb5-server
+find . -type f -name '*.ps' -exec gzip -9 {} \;
+# create rc* links
+mkdir -p %{buildroot}%{_bindir}/
+mkdir -p %{buildroot}%{_sbindir}/
+ln -s service %{buildroot}%{_sbindir}/rckadmind
+ln -s service %{buildroot}%{_sbindir}/rckrb5kdc
+ln -s service %{buildroot}%{_sbindir}/rckpropd
+# install doc
+install -d -m 755 %{buildroot}/%{krb5docdir}
+install -m 644 %{_builddir}/%{srcRoot}/README %{buildroot}/%{krb5docdir}/README
+# cleanup
+rm -f  %{buildroot}%{_mandir}/man1/tmac.doc*
+rm -f  %{_mandir}/man1/tmac.doc*
+rm -rf %{buildroot}%{_datadir}/examples
+# manually remove otp, spake and test plugin for krb5-mini since configure
+# doesn't support disabling it at build time
+rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/otp.so
+rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/spake.so
+rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so
+
+%if "%{_lto_cflags}" != ""
+# Don't add the lto flags to the public link flags.
+sed -i "s/%{_lto_cflags}//" %{buildroot}%{_bindir}/krb5-config
+%endif
+
+%find_lang mit-krb5
+
+#####################################################
+# krb5-mini pre/post/postun
+#####################################################
+
+%preun
+%service_del_preun krb5kdc.service kadmind.service kpropd.service
+
+%postun
+/sbin/ldconfig
+%service_del_postun krb5kdc.service kadmind.service kpropd.service
+
+%post
+/sbin/ldconfig
+%service_add_post krb5kdc.service kadmind.service kpropd.service
+%tmpfiles_create krb5.conf
+%{fillup_only -n kadmind}
+%{fillup_only -n krb5kdc}
+%{fillup_only -n kpropd}
+
+%pre
+%service_add_pre krb5kdc.service kadmind.service kpropd.service
+
+########################################################
+# files sections
+########################################################
+
+%files devel
+%dir %{_datadir}/aclocal
+%{_libdir}/libgssrpc.so
+%{_libdir}/libk5crypto.so
+%{_libdir}/libkadm5clnt_mit.so
+%{_libdir}/libkadm5clnt.so
+%{_libdir}/libkadm5srv_mit.so
+%{_libdir}/libkadm5srv.so
+%{_libdir}/libkdb5.so
+%{_libdir}/libkrb5.so
+%{_libdir}/libkrb5support.so
+%{_libdir}/libkrad.so
+%{_libdir}/pkgconfig/gssrpc.pc
+%{_libdir}/pkgconfig/kadm-client.pc
+%{_libdir}/pkgconfig/kadm-server.pc
+%{_libdir}/pkgconfig/kdb.pc
+%{_libdir}/pkgconfig/krb5-gssapi.pc
+%{_libdir}/pkgconfig/krb5.pc
+%{_libdir}/pkgconfig/mit-krb5-gssapi.pc
+%{_libdir}/pkgconfig/mit-krb5.pc
+%{_includedir}/*
+%{_bindir}/krb5-config
+%{_sbindir}/krb5-send-pr
+%{_mandir}/man1/krb5-config.1%{?ext_man}
+%{_datadir}/aclocal/ac_check_krb5.m4
+
+%files -f mit-krb5.lang
+%dir %{krb5docdir}
+# add directories
+%dir %{_libdir}/krb5
+%dir %{_libdir}/krb5/plugins
+%dir %{_libdir}/krb5/plugins/kdb
+%dir %{_libdir}/krb5/plugins/preauth
+%dir %{_libdir}/krb5/plugins/libkrb5
+%dir %{_libdir}/krb5/plugins/tls
+%attr(0700,root,root) %dir %{_localstatedir}/log/krb5
+%doc %{krb5docdir}/README
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/krb5.conf
+%dir %{_sysconfdir}/krb5.conf.d
+%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
+%config(noreplace,missingok) %{_sysconfdir}/krb5.conf.d/crypto-policies
+%endif
+%config(noreplace) %{_sysconfdir}/logrotate.d/krb5-server
+%{_fillupdir}/sysconfig.*
+%{_unitdir}/kadmind.service
+%{_unitdir}/krb5kdc.service
+%{_unitdir}/kpropd.service
+%{_libdir}/libgssapi_krb5.*
+%{_libdir}/libgssrpc.so.*
+%{_libdir}/libk5crypto.so.*
+%{_libdir}/libkadm5clnt_mit.so.*
+%{_libdir}/libkadm5srv_mit.so.*
+%{_libdir}/libkdb5.so.*
+%{_libdir}/libkrb5.so.*
+%{_libdir}/libkrb5support.so.*
+%{_libdir}/libkrad.so.*
+%{_libdir}/krb5/plugins/kdb/*
+%{_libdir}/krb5/plugins/tls/*
+%{_tmpfilesdir}/krb5.conf
+%dir %{_datadir}/kerberos/
+%dir %{_datadir}/kerberos/krb5kdc
+%dir %{_datadir}/kerberos/krb5
+%dir %{_datadir}/kerberos/krb5/user
+%attr(0600,root,root) %config(noreplace) %{_datadir}/kerberos/krb5kdc/kdc.conf
+%attr(0600,root,root) %config(noreplace) %{_datadir}/kerberos/krb5kdc/kadm5.acl
+%attr(0600,root,root) %config(noreplace) %{_datadir}/kerberos/krb5kdc/kadm5.dict
+%ghost %dir %{_sharedstatedir}/kerberos/
+%ghost %dir %{_sharedstatedir}/kerberos/krb5kdc
+%ghost %dir %{_sharedstatedir}/kerberos/krb5
+%ghost %dir %{_sharedstatedir}/kerberos/krb5/user
+%ghost %attr(0600,root,root) %config(noreplace) %{_sharedstatedir}/kerberos/krb5kdc/kdc.conf
+%ghost %attr(0600,root,root) %config(noreplace) %{_sharedstatedir}/kerberos/krb5kdc/kadm5.acl
+%ghost %attr(0600,root,root) %config(noreplace) %{_sharedstatedir}/kerberos/krb5kdc/kadm5.dict
+%{_sbindir}/kadmin.local
+%{_sbindir}/kadmind
+%{_sbindir}/kpropd
+%{_sbindir}/kproplog
+%{_sbindir}/kprop
+%{_sbindir}/kdb5_util
+%{_sbindir}/krb5kdc
+%{_sbindir}/uuserver
+%{_sbindir}/sserver
+%{_sbindir}/gss-server
+%{_sbindir}/sim_server
+%{_bindir}/k5srvutil
+%{_bindir}/kvno
+%{_bindir}/kinit
+%{_bindir}/kdestroy
+%{_bindir}/kpasswd
+%{_bindir}/klist
+%{_bindir}/kadmin
+%{_bindir}/ktutil
+%{_bindir}/kswitch
+%attr(0755,root,root) %{_bindir}/ksu
+%{_bindir}/uuclient
+%{_bindir}/sclient
+%{_bindir}/gss-client
+%{_bindir}/sim_client
+%{_bindir}/kinit
+%{_bindir}/klist
+%{_sbindir}/rc*
+%{_mandir}/man1/kvno.1%{?ext_man}
+%{_mandir}/man1/kinit.1%{?ext_man}
+%{_mandir}/man1/kdestroy.1%{?ext_man}
+%{_mandir}/man1/kpasswd.1%{?ext_man}
+%{_mandir}/man1/klist.1%{?ext_man}
+%{_mandir}/man1/ksu.1%{?ext_man}
+%{_mandir}/man1/sclient.1%{?ext_man}
+%{_mandir}/man1/kadmin.1%{?ext_man}
+%{_mandir}/man1/ktutil.1%{?ext_man}
+%{_mandir}/man1/k5srvutil.1%{?ext_man}
+%{_mandir}/man1/kswitch.1%{?ext_man}
+%{_mandir}/man5/*
+%{_mandir}/man5/.k5login.5%{?ext_man}
+%{_mandir}/man5/.k5identity.5%{?ext_man}
+%{_mandir}/man7/kerberos.7%{?ext_man}
+%{_mandir}/man8/*
+
+%changelog

krb5-rpmlintrc

@@ -0,0 +1,8 @@
+addFilter("devel-file-in-non-devel-package .*libgssapi_krb5.so")
+addFilter("hidden-file-or-dir .*/usr/share/man/man5/.k5login.5.gz")
+addFilter("hidden-file-or-dir .*/usr/share/man/man5/.k5identity.5.gz")
+addFilter("files-duplicate .*css")
+addFilter("files-duplicate .*img.*png")
+addFilter("devel-file-in-non-devel-package .*libkdb_ldap.so")
+addFilter("shlib-policy-missing-suffix")
+addFilter("non-etc-or-var-file-marked-as-conffile")

krb5.spec

@@ -0,0 +1,516 @@
+#
+# spec file for package krb5
+#
+# Copyright (c) 2024 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+
+#Compat macro for new _fillupdir macro introduced in Nov 2017
+%if ! %{defined _fillupdir}
+  %define _fillupdir %{_localstatedir}/adm/fillup-templates
+%endif
+Name:           krb5
+Version:        1.21.3
+Release:        0
+Summary:        MIT Kerberos5 implementation
+License:        MIT
+URL:            https://kerberos.org/dist/
+Source0:        https://kerberos.org/dist/krb5/1.21/krb5-%{version}.tar.gz
+Source1:        https://kerberos.org/dist/krb5/1.21/krb5-%{version}.tar.gz.asc
+Source2:        krb5.keyring
+Source3:        vendor-files.tar.bz2
+Source4:        baselibs.conf
+Source5:        krb5-rpmlintrc
+Source6:        ksu-pam.d
+Source7:        krb5.tmpfiles
+Patch1:         0001-ksu-pam-integration.patch
+Patch2:         0002-krb5-1.9-manpaths.patch
+Patch3:         0003-Adjust-build-configuration.patch
+Patch4:         0004-krb5-1.6.3-gssapi_improve_errormessages.patch
+Patch5:         0005-krb5-1.6.3-ktutil-manpage.patch
+Patch6:         0006-krb5-1.12-api.patch
+Patch7:         0007-SELinux-integration.patch
+Patch8:         0008-krb5-1.9-debuginfo.patch
+Patch9:         0009-Fix-three-memory-leaks.patch
+BuildRequires:  autoconf
+BuildRequires:  bison
+BuildRequires:  cyrus-sasl-devel
+BuildRequires:  keyutils
+BuildRequires:  keyutils-devel
+BuildRequires:  openldap2-devel
+BuildRequires:  pam-devel
+BuildRequires:  pkgconfig
+BuildRequires:  pkgconfig(com_err)
+BuildRequires:  pkgconfig(libselinux)
+BuildRequires:  pkgconfig(libssl)
+BuildRequires:  pkgconfig(libverto)
+BuildRequires:  pkgconfig(lmdb)
+BuildRequires:  pkgconfig(ncurses)
+BuildRequires:  pkgconfig(ss)
+BuildRequires:  pkgconfig(systemd)
+%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
+BuildRequires:  crypto-policies
+Requires:       crypto-policies
+%endif
+Conflicts:      krb5-mini
+Obsoletes:      krb5-plugin-preauth-pkinit-nss
+
+%description
+Kerberos V5 is a trusted-third-party network authentication system,
+which can improve network security by eliminating the insecure
+practice of clear text passwords.
+
+%package client
+Summary:        Client programs of the MIT Kerberos5 implementation
+Conflicts:      krb5-mini
+
+%description client
+Kerberos V5 is a trusted-third-party network authentication system,
+which can improve network security by eliminating the insecure
+practice of cleartext passwords. This package includes some required
+client programs, like kinit, kadmin, ...
+
+%package server
+Summary:        Server program of the MIT Kerberos5 implementation
+Requires:       libverto-libev1
+Requires:       logrotate
+Requires:       perl-Date-Calc
+Requires(post): %fillup_prereq
+%{?systemd_requires}
+
+%description server
+Kerberos V5 is a trusted-third-party network authentication system,
+which can improve network security by eliminating the insecure
+practice of cleartext passwords. This package includes the kdc, kadmind
+and more.
+
+%package plugin-kdb-ldap
+Summary:        LDAP database plugin for MIT Kerberos5
+Requires:       krb5-server = %{version}
+
+%description plugin-kdb-ldap
+Kerberos V5 is a trusted-third-party network authentication system,
+which can improve network security by eliminating the insecure
+practice of clear text passwords. This package contains the LDAP
+database plugin.
+
+%package plugin-preauth-pkinit
+Summary:        PKINIT preauthentication plugin for MIT Kerberos5
+
+%description plugin-preauth-pkinit
+Kerberos V5 is a trusted-third-party network authentication system,
+which can improve network security by eliminating the insecure
+practice of cleartext passwords. This package includes a PKINIT plugin.
+
+%package plugin-preauth-otp
+Summary:        OTP preauthentication plugin for MIT Kerberos5
+
+%description plugin-preauth-otp
+Kerberos V5 is a trusted-third-party network authentication system,
+which can improve network security by eliminating the insecure
+practice of cleartext passwords. This package includes a OTP plugin.
+
+%package plugin-preauth-spake
+Summary:        SPAKE preauthentication plugin for MIT Kerberos5
+
+%description plugin-preauth-spake
+Kerberos V5 is a trusted-third-party network authentication system,
+which can improve network security by eliminating the insecure
+practice of cleartext passwords. This package includes a SPAKE plugin.
+
+%package doc
+Summary:        Documentation for the MIT Kerberos5 implementation
+
+%description doc
+Kerberos V5 is a trusted-third-party network authentication
+system,which can improve network security by eliminating the
+insecurepractice of clear text passwords. This package includes
+extended documentation for MIT Kerberos.
+
+%package devel
+Summary:        Development files for MIT Kerberos5
+Requires:       %{name} = %{version}
+Requires:       keyutils-devel
+Requires:       pkgconfig(com_err)
+Requires:       pkgconfig(libverto)
+Requires:       pkgconfig(ss)
+Conflicts:      krb5-mini-devel
+
+%description devel
+Kerberos V5 is a trusted-third-party network authentication system,
+which can improve network security by eliminating the insecure
+practice of cleartext passwords. This package includes Libraries and
+Include Files for Development
+
+%define srcRoot krb5-%{version}
+%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
+%define krb5docdir  %{_defaultdocdir}/krb5
+
+%prep
+%setup -q -n %{srcRoot}
+%setup -q -a 3 -T -D -n %{srcRoot}
+%autopatch -p1
+
+%build
+# needs to be re-generated
+rm -f src/lib/krb5/krb/deltat.c
+cd src
+autoreconf -fi
+DEFCCNAME=DIR:/run/user/%%{uid}/krb5cc; export DEFCCNAME
+%configure \
+        CFLAGS="%{optflags} -I%{_includedir}/et -fno-strict-aliasing -D_GNU_SOURCE -fPIC $(getconf LFS_CFLAGS)" \
+        CPPFLAGS="-I%{_includedir}/et " \
+        SS_LIB="-lss" \
+    --sysconfdir=%{_sysconfdir} \
+    --mandir=%{_mandir} \
+    --infodir=%{_infodir} \
+    --libdir=%{_libdir} \
+    --includedir=%{_includedir} \
+    --localstatedir=%{_localstatedir}/lib/kerberos \
+    --localedir=%{_datadir}/locale \
+    --enable-shared \
+    --disable-static \
+    --enable-dns-for-realm \
+    --disable-rpath \
+    --with-ldap \
+    --with-pam \
+    --enable-pkinit \
+    --with-crypto-impl=openssl \
+    --with-selinux \
+    --with-system-et \
+    --with-system-ss \
+    --with-system-verto \
+    --with-lmdb
+
+%make_build
+
+# Copy kadmin manual page into kadmin.local's due to the split between client and server package
+cp man/kadmin.man man/kadmin.local.8
+
+%install
+mkdir -p %{buildroot}/%{_localstatedir}/log/krb5
+%make_install -C src
+# Munge krb5-config yet again.  This is totally wrong for 64-bit, but chunks
+# of the buildconf patch already conspire to strip out /usr/<anything> from the
+# list of link flags, and it helps prevent file conflicts on multilib systems.
+sed -r -i -e 's|^libdir=%{_prefix}/lib(64)?$|libdir=%{_prefix}/lib|g' %{buildroot}%{_bindir}/krb5-config
+
+# install autoconf macro
+mkdir -p %{buildroot}/%{_datadir}/aclocal
+install -m 644 src/util/ac_check_krb5.m4 %{buildroot}%{_datadir}/aclocal/
+# install sample config files
+# I'll probably do something about this later on
+mkdir -p %{buildroot}%{_sysconfdir}
+mkdir -p %{buildroot}%{_sysconfdir}/krb5.conf.d
+mkdir -p %{buildroot}%{_localstatedir}/log/krb5
+# create plugin directories
+mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/kdb
+mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/preauth
+mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/libkrb5
+mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/tls
+install -m 644 %{vendorFiles}/krb5.conf %{buildroot}%{_sysconfdir}
+
+# Do not write directly to /var/lib/kerberos anymore as it breaks transactional
+# updates. Use systemd-tmpfiles to copy the files there when it doesn't exist
+install -d -m 0755 %{buildroot}%{_tmpfilesdir}
+install -m 644 %{SOURCE7} %{buildroot}%{_tmpfilesdir}/krb5.conf
+mkdir -p %{buildroot}/%{_datadir}/kerberos/krb5kdc
+# Where per-user keytabs live by default.
+mkdir -p %{buildroot}/%{_datadir}/kerberos/krb5/user
+install -m 600 %{vendorFiles}/kdc.conf %{buildroot}%{_datadir}/kerberos/krb5kdc/
+install -m 600 %{vendorFiles}/kadm5.acl %{buildroot}%{_datadir}/kerberos/krb5kdc/
+install -m 600 %{vendorFiles}/kadm5.dict %{buildroot}%{_datadir}/kerberos/krb5kdc/
+
+%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
+# Default include on this directory
+ln -sv %{_sysconfdir}/crypto-policies/back-ends/krb5.config %{buildroot}%{_sysconfdir}/krb5.conf.d/crypto-policies
+%endif
+
+# all libs must have permissions 0755
+for lib in `find %{buildroot}/%{_libdir}/ -type f -name "*.so*"`
+do
+  chmod 0755 ${lib}
+done
+# and binaries too
+chmod 0755 %{buildroot}%{_bindir}/ksu
+# install systemd files
+%if 0%{?suse_version} >= 1210
+mkdir -p %{buildroot}%{_unitdir}
+install -m 644 %{vendorFiles}/kadmind.service %{buildroot}%{_unitdir}
+install -m 644 %{vendorFiles}/krb5kdc.service %{buildroot}%{_unitdir}
+install -m 644 %{vendorFiles}/kpropd.service %{buildroot}%{_unitdir}
+%else
+# install init scripts
+mkdir -p %{buildroot}%{_sysconfdir}/init.d
+install -m 755 %{vendorFiles}/kadmind.init %{buildroot}%{_sysconfdir}/init.d/kadmind
+install -m 755 %{vendorFiles}/krb5kdc.init %{buildroot}%{_sysconfdir}/init.d/krb5kdc
+install -m 755 %{vendorFiles}/kpropd.init  %{buildroot}%{_sysconfdir}/init.d/kpropd
+%endif
+# install sysconfig templates
+mkdir -p %{buildroot}/%{_fillupdir}
+install -m 644 %{vendorFiles}/sysconfig.kadmind %{buildroot}/%{_fillupdir}/
+install -m 644 %{vendorFiles}/sysconfig.krb5kdc %{buildroot}/%{_fillupdir}/
+# install logrotate files
+mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d
+install -m 644 %{vendorFiles}/krb5-server.logrotate %{buildroot}%{_sysconfdir}/logrotate.d/krb5-server
+find . -type f -name '*.ps' -exec gzip -9 {} +
+# create rc* links
+mkdir -p %{buildroot}%{_bindir}/
+mkdir -p %{buildroot}%{_sbindir}/
+ln -s service %{buildroot}%{_sbindir}/rckadmind
+ln -s service %{buildroot}%{_sbindir}/rckrb5kdc
+ln -s service %{buildroot}%{_sbindir}/rckpropd
+# install doc
+install -d -m 755 %{buildroot}/%{krb5docdir}
+install -m 644 %{_builddir}/%{srcRoot}/README %{buildroot}/%{krb5docdir}/README
+install -d -m 755 %{buildroot}/%{_datadir}/kerberos/ldap
+install -m 644 %{_builddir}/%{srcRoot}/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema %{buildroot}/%{_datadir}/kerberos/ldap/kerberos.schema
+install -m 644 %{_builddir}/%{srcRoot}/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif %{buildroot}/%{_datadir}/kerberos/ldap/kerberos.ldif
+# link pam-config for su to ksu
+%if 0%{?suse_version} > 1500
+mkdir -p %{buildroot}%{_pam_vendordir}
+install -m 644 %{SOURCE6} %{buildroot}%{_pam_vendordir}/ksu
+%else
+mkdir -p %{buildroot}%{_sysconfdir}/pam.d/
+install -m 644 %{SOURCE6} %{buildroot}%{_sysconfdir}/pam.d/ksu
+%endif
+
+# cleanup
+rm -f  %{buildroot}%{_mandir}/man1/tmac.doc*
+rm -f  %{_mandir}/man1/tmac.doc* html/.doctrees/environment.pickle
+rm -rf %{buildroot}%{_datadir}/examples
+# manually remove test plugin since configure doesn't support disabling it at build time
+rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so
+
+%if "%{_lto_cflags}" != ""
+# Don't add the lto flags to the public link flags.
+sed -i "s/%{_lto_cflags}//" %{buildroot}%{_bindir}/krb5-config
+%endif
+
+%find_lang mit-krb5
+
+%post -p /sbin/ldconfig
+%postun -p /sbin/ldconfig
+
+%preun server
+%service_del_preun krb5kdc.service kadmind.service kpropd.service
+
+%postun server
+%service_del_postun krb5kdc.service kadmind.service kpropd.service
+
+%post server
+%service_add_post krb5kdc.service kadmind.service kpropd.service
+%tmpfiles_create krb5.conf
+%{fillup_only -n kadmind}
+%{fillup_only -n krb5kdc}
+%{fillup_only -n kpropd}
+
+%pre server
+%service_add_pre krb5kdc.service kadmind.service kpropd.service
+
+%post plugin-kdb-ldap -p /sbin/ldconfig
+%postun plugin-kdb-ldap -p /sbin/ldconfig
+
+%if 0%{?suse_version} > 1500
+%pre client
+# Prepare for migration to /usr/etc; save any old .rpmsave
+for i in pam.d/ksu ; do
+     test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i}.rpmsave.old ||:
+done
+
+%posttrans client
+# Migration to /usr/etc, restore just created .rpmsave
+for i in pam.d/ksu ; do
+     test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i} ||:
+done
+%endif
+
+%files devel
+%dir %{_datadir}/aclocal
+%{_libdir}/libgssrpc.so
+%{_libdir}/libk5crypto.so
+%{_libdir}/libkadm5clnt_mit.so
+%{_libdir}/libkadm5clnt.so
+%{_libdir}/libkadm5srv_mit.so
+%{_libdir}/libkadm5srv.so
+%{_libdir}/libkdb5.so
+%{_libdir}/libkrb5.so
+%{_libdir}/libkrb5support.so
+%{_libdir}/libkrad.so
+%{_libdir}/pkgconfig/gssrpc.pc
+%{_libdir}/pkgconfig/kadm-client.pc
+%{_libdir}/pkgconfig/kadm-server.pc
+%{_libdir}/pkgconfig/kdb.pc
+%{_libdir}/pkgconfig/krb5-gssapi.pc
+%{_libdir}/pkgconfig/krb5.pc
+%{_libdir}/pkgconfig/mit-krb5-gssapi.pc
+%{_libdir}/pkgconfig/mit-krb5.pc
+%{_includedir}/*
+%{_bindir}/krb5-config
+%{_sbindir}/krb5-send-pr
+%{_mandir}/man1/krb5-config.1%{?ext_man}
+%{_datadir}/aclocal/ac_check_krb5.m4
+
+%files -f mit-krb5.lang
+%dir %{krb5docdir}
+# add plugin directories
+%dir %{_libdir}/krb5
+%dir %{_libdir}/krb5/plugins
+%dir %{_libdir}/krb5/plugins/kdb
+%dir %{_libdir}/krb5/plugins/preauth
+%dir %{_libdir}/krb5/plugins/libkrb5
+%dir %{_libdir}/krb5/plugins/tls
+# add log directory
+%attr(0700,root,root) %dir %{_localstatedir}/log/krb5
+%doc %{krb5docdir}/README
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/krb5.conf
+%dir %{_sysconfdir}/krb5.conf.d
+%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
+%config(noreplace,missingok) %{_sysconfdir}/krb5.conf.d/crypto-policies
+%endif
+%{_libdir}/libgssapi_krb5.*
+%{_libdir}/libgssrpc.so.*
+%{_libdir}/libk5crypto.so.*
+%{_libdir}/libkadm5clnt_mit.so.*
+%{_libdir}/libkadm5srv_mit.so.*
+%{_libdir}/libkdb5.so.*
+%{_libdir}/libkrb5.so.*
+%{_libdir}/libkrb5support.so.*
+%{_libdir}/libkrad.so.*
+%{_libdir}/krb5/plugins/tls/*.so
+
+%files server
+%attr(0700,root,root) %dir %{_localstatedir}/log/krb5
+%config(noreplace) %{_sysconfdir}/logrotate.d/krb5-server
+%{_unitdir}/kadmind.service
+%{_unitdir}/krb5kdc.service
+%{_unitdir}/kpropd.service
+%{_tmpfilesdir}/krb5.conf
+%dir %{krb5docdir}
+%dir %{_datadir}/kerberos/
+%dir %{_datadir}/kerberos/krb5kdc
+%dir %{_datadir}/kerberos/krb5
+%dir %{_datadir}/kerberos/krb5/user
+%dir %{_libdir}/krb5
+%dir %{_libdir}/krb5/plugins
+%dir %{_libdir}/krb5/plugins/kdb
+%dir %{_libdir}/krb5/plugins/tls
+%attr(0600,root,root) %config(noreplace) %{_datadir}/kerberos/krb5kdc/kdc.conf
+%attr(0600,root,root) %config(noreplace) %{_datadir}/kerberos/krb5kdc/kadm5.acl
+%attr(0600,root,root) %config(noreplace) %{_datadir}/kerberos/krb5kdc/kadm5.dict
+%ghost %dir %{_sharedstatedir}/kerberos/
+%ghost %dir %{_sharedstatedir}/kerberos/krb5kdc
+%ghost %dir %{_sharedstatedir}/kerberos/krb5
+%ghost %dir %{_sharedstatedir}/kerberos/krb5/user
+%ghost %attr(0600,root,root) %config(noreplace) %{_sharedstatedir}/kerberos/krb5kdc/kdc.conf
+%ghost %attr(0600,root,root) %config(noreplace) %{_sharedstatedir}/kerberos/krb5kdc/kadm5.acl
+%ghost %attr(0600,root,root) %config(noreplace) %{_sharedstatedir}/kerberos/krb5kdc/kadm5.dict
+%{_fillupdir}/sysconfig.*
+%{_sbindir}/rc*
+%{_sbindir}/kadmin.local
+%{_sbindir}/kadmind
+%{_sbindir}/kpropd
+%{_sbindir}/kproplog
+%{_sbindir}/kprop
+%{_sbindir}/kdb5_util
+%{_sbindir}/krb5kdc
+%{_sbindir}/gss-server
+%{_sbindir}/sim_server
+%{_sbindir}/sserver
+%{_sbindir}/uuserver
+%{_libdir}/krb5/plugins/kdb/db2.so
+%{_libdir}/krb5/plugins/kdb/klmdb.so
+%{_mandir}/man5/kdc.conf.5%{?ext_man}
+%{_mandir}/man5/kadm5.acl.5%{?ext_man}
+%{_mandir}/man8/kadmind.8%{?ext_man}
+%{_mandir}/man8/kadmin.local.8%{?ext_man}
+%{_mandir}/man8/kpropd.8%{?ext_man}
+%{_mandir}/man8/kprop.8%{?ext_man}
+%{_mandir}/man8/kproplog.8%{?ext_man}
+%{_mandir}/man8/kdb5_util.8%{?ext_man}
+%{_mandir}/man8/krb5kdc.8%{?ext_man}
+%{_mandir}/man8/sserver.8%{?ext_man}
+
+%files client
+%if 0%{?suse_version} > 1500
+%attr(0644,root,root) %{_pam_vendordir}/ksu
+%else
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/ksu
+%endif
+%{_bindir}/kvno
+%{_bindir}/kinit
+%{_bindir}/kdestroy
+%{_bindir}/kpasswd
+%{_bindir}/klist
+%{_bindir}/kadmin
+%{_bindir}/ktutil
+%{_bindir}/k5srvutil
+%{_bindir}/gss-client
+%{_bindir}/ksu
+%{_bindir}/sclient
+%{_bindir}/sim_client
+%{_bindir}/uuclient
+%{_bindir}/kswitch
+%{_bindir}/kinit
+%{_bindir}/klist
+%{_mandir}/man1/kvno.1%{?ext_man}
+%{_mandir}/man1/kinit.1%{?ext_man}
+%{_mandir}/man1/kdestroy.1%{?ext_man}
+%{_mandir}/man1/kpasswd.1%{?ext_man}
+%{_mandir}/man1/klist.1%{?ext_man}
+%{_mandir}/man1/kadmin.1%{?ext_man}
+%{_mandir}/man1/ktutil.1%{?ext_man}
+%{_mandir}/man1/k5srvutil.1%{?ext_man}
+%{_mandir}/man1/kswitch.1%{?ext_man}
+%{_mandir}/man5/krb5.conf.5%{?ext_man}
+%{_mandir}/man5/.k5login.5%{?ext_man}
+%{_mandir}/man5/.k5identity.5%{?ext_man}
+%{_mandir}/man5/k5identity.5%{?ext_man}
+%{_mandir}/man5/k5login.5%{?ext_man}
+%{_mandir}/man1/ksu.1%{?ext_man}
+%{_mandir}/man1/sclient.1%{?ext_man}
+%{_mandir}/man7/kerberos.7%{?ext_man}
+
+%files plugin-kdb-ldap
+%{_sbindir}/kdb5_ldap_util
+%dir %{_datadir}/kerberos
+%dir %{_datadir}/kerberos/ldap
+%config %{_datadir}/kerberos/ldap/kerberos.schema
+%config %{_datadir}/kerberos/ldap/kerberos.ldif
+%dir %{_libdir}/krb5
+%dir %{_libdir}/krb5/plugins
+%dir %{_libdir}/krb5/plugins/kdb
+%{_libdir}/krb5/plugins/kdb/kldap.so
+%{_libdir}/libkdb_ldap*
+%{_mandir}/man8/kdb5_ldap_util.8%{?ext_man}
+
+%files plugin-preauth-pkinit
+%dir %{_libdir}/krb5
+%dir %{_libdir}/krb5/plugins
+%dir %{_libdir}/krb5/plugins/preauth
+%{_libdir}/krb5/plugins/preauth/pkinit.so
+
+%files plugin-preauth-otp
+%dir %{_libdir}/krb5
+%dir %{_libdir}/krb5/plugins
+%dir %{_libdir}/krb5/plugins/preauth
+%{_libdir}/krb5/plugins/preauth/otp.so
+
+%files plugin-preauth-spake
+%dir %{_libdir}/krb5
+%dir %{_libdir}/krb5/plugins
+%dir %{_libdir}/krb5/plugins/preauth
+%{_libdir}/krb5/plugins/preauth/spake.so
+
+%changelog

krb5.tmpfiles

@@ -0,0 +1,7 @@
+d /var/lib/kerberos 		0755	root	root	-
+d /var/lib/kerberos/krb5	0755	root	root	-
+d /var/lib/kerberos/krb5/user	0755	root	root	-
+d /var/lib/kerberos/krb5kdc	0755	root	root	-
+C /var/lib/kerberos/krb5kdc/kdc.conf	0600 root root - /usr/share/kerberos/krb5kdc/kdc.conf
+C /var/lib/kerberos/krb5kdc/kadm5.acl	0600 root root - /usr/share/kerberos/krb5kdc/kadm5.acl
+C /var/lib/kerberos/krb5kdc/kadm5.dict	0600 root root - /usr/share/kerberos/krb5kdc/kadm5.dict

ksu-pam.d

@@ -0,0 +1,9 @@
+#%PAM-1.0
+auth     sufficient     pam_rootok.so
+auth     include        common-auth
+account  sufficient     pam_rootok.so
+account  include        common-account
+password include        common-password
+session  optional       pam_keyinit.so force revoke
+session  include        common-session
+session  optional       pam_xauth.so