> Date: Wed, 6 Sep 2023 10:39:34 +0000
> From: Taylor R Campbell <riastr...@netbsd.org>
>
> A possible workaround is to set:
>
> [libdefaults]
> k5login_directory = /root
>
> However, that applies to _all_ kuserok checks for _all_ users, not
> just the pam_ksu one ror root, so it will probably break other things.
> I'm not sure there is a way in the config file to specify it just for
> pam_ksu or just for root.
Here's a workaround you could test with no code changes that shouldn't
break other applications: move /root/.k5login to /etc/k5login.d/root,
and set
[libdefaults]
kuserok = USER-K5LOGIN SYSTEM-K5LOGIN SIMPLE DENY
in /etc/krb5.conf. Still worth finding a code fix for pam_ksu, but
you can try this workaround in the mean time.
