pam_krb5: Restore allow_kdc_spoof option

Not only does the new pam_krb5 module not have the same allow_kdc_spoof
option that the old one had, its behavior in this matter defaults to
insecure.  Reimplement allow_kdc_spoof and switch the default back.

Reviewed by:	cy
Differential Revision:	https://reviews.freebsd.org/D53884

contrib/pam-krb5/docs/pam_krb5.pod

@@ -57,12 +57,10 @@ is vulnerable to KDC spoofing, but it requires that the system have a
 local key and that the PAM module be running as a user that can read the
 keytab file (normally F</etc/krb5.keytab>.  You can point the Kerberos PAM
 module at a different keytab with the I<keytab> option.  If that keytab
-cannot be read or if no keys are found in it, the default (potentially
-insecure) behavior is to skip this check.  If you want to instead fail
-authentication if the obtained tickets cannot be checked, set
-C<verify_ap_req_nofail> to true in the [libdefaults] section of
-F</etc/krb5.conf>.  Note that this will affect applications other than
-this PAM module.
+cannot be read or if no keys are found in it, the default behavior is to
+fail authentication. If you want to skip this check, set the
+C<allow_kdc_spoof> option to true either in the [appdefaults] section of
+F</etc/krb5.conf> or in the PAM policy.
 
 By default, whenever the user is authenticated, a basic authorization
 check will also be done using krb5_kuserok().  The default behavior of
@@ -218,6 +216,11 @@ pam-krb5 in which that option was added with the current meaning.
 
 =over 4
 
+=item allow_kdc_spoof
+
+Allow authentication to succeed even if there is no host or service
+key available in a keytab to authenticate the Kerberos KDC's ticket.
+
 =item alt_auth_map=<format>
 
 [3.12] This functions similarly to the I<search_k5login> option.  The

contrib/pam-krb5/module/auth.c

@@ -696,6 +696,12 @@ verify_creds(struct pam_args *args, krb5_creds *creds)
         if (cursor_valid)
             krb5_kt_end_seq_get(c, keytab, &cursor);
     }
+#ifdef __FreeBSD__
+    if (args->config->allow_kdc_spoof)
+	opts.flags &= ~KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL;
+    else
+	opts.flags |= KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL;
+#endif /* __FreeBSD__ */
     retval = krb5_verify_init_creds(c, creds, princ, keytab, NULL, &opts);
     if (retval != 0)
         putil_err_krb5(args, retval, "credential verification failed");

contrib/pam-krb5/module/internal.h

@@ -62,6 +62,9 @@ struct pam_config {
     long minimum_uid;    /* Ignore users below this UID. */
     bool only_alt_auth;  /* Alt principal must be used. */
     bool search_k5login; /* Try password with each line of .k5login. */
+#ifdef __FreeBSD__
+    bool allow_kdc_spoof;/* Allow auth even if KDC cannot be verified */
+#endif /* __FreeBSD__ */
 
     /* Kerberos behavior. */
     char *fast_ccache;           /* Cache containing armor ticket. */

contrib/pam-krb5/module/options.c

@@ -30,6 +30,9 @@
 #define K(name) (#name), offsetof(struct pam_config, name)
 /* clang-format off */
 static const struct option options[] = {
+#ifdef __FreeBSD__
+    { K(allow_kdc_spoof),    true,  BOOL   (false) },
+#endif /* __FreeBSD__ */
     { K(alt_auth_map),       true,  STRING (NULL)  },
     { K(anon_fast),          true,  BOOL   (false) },
     { K(banner),             true,  STRING ("Kerberos") },