3 files changed, 12 insertions, 0 deletions

diff --git a/contrib/pam-krb5/module/auth.c b/contrib/pam-krb5/module/auth.c
index 065ce97b6596..46f2be791000 100644
--- a/contrib/pam-krb5/module/auth.c
+++ b/contrib/pam-krb5/module/auth.c
@@ -696,6 +696,12 @@ verify_creds(struct pam_args *args, krb5_creds *creds)
         if (cursor_valid)
             krb5_kt_end_seq_get(c, keytab, &cursor);
     }
+#ifdef __FreeBSD__
+    if (args->config->allow_kdc_spoof)
+	opts.flags &= ~KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL;
+    else
+	opts.flags |= KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL;
+#endif /* __FreeBSD__ */
     retval = krb5_verify_init_creds(c, creds, princ, keytab, NULL, &opts);
     if (retval != 0)
         putil_err_krb5(args, retval, "credential verification failed");
diff --git a/contrib/pam-krb5/module/internal.h b/contrib/pam-krb5/module/internal.h
index f3ea30139815..c797f7a56cd3 100644
--- a/contrib/pam-krb5/module/internal.h
+++ b/contrib/pam-krb5/module/internal.h
@@ -62,6 +62,9 @@ struct pam_config {
     long minimum_uid;    /* Ignore users below this UID. */
     bool only_alt_auth;  /* Alt principal must be used. */
     bool search_k5login; /* Try password with each line of .k5login. */
+#ifdef __FreeBSD__
+    bool allow_kdc_spoof;/* Allow auth even if KDC cannot be verified */
+#endif /* __FreeBSD__ */
 
     /* Kerberos behavior. */
     char *fast_ccache;           /* Cache containing armor ticket. */
diff --git a/contrib/pam-krb5/module/options.c b/contrib/pam-krb5/module/options.c
index 799b3a33e168..0118fb451af6 100644
--- a/contrib/pam-krb5/module/options.c
+++ b/contrib/pam-krb5/module/options.c
@@ -30,6 +30,9 @@
 #define K(name) (#name), offsetof(struct pam_config, name)
 /* clang-format off */
 static const struct option options[] = {
+#ifdef __FreeBSD__
+    { K(allow_kdc_spoof),    true,  BOOL   (false) },
+#endif /* __FreeBSD__ */
     { K(alt_auth_map),       true,  STRING (NULL)  },
     { K(anon_fast),          true,  BOOL   (false) },
     { K(banner),             true,  STRING ("Kerberos") },