New krb5 code from Frank Cusack <fcusack@iconnet.net>.

1999-10-13 02:34:55 +00:00
parent e0a83ab41c
commit 3acdd5b02f
6 changed files with 205 additions and 226 deletions
--- a/auth/kerb5.c
+++ b/auth/kerb5.c
@@ -3,7 +3,7 @@
 * All rights reserved.
 *
 * This code is derived from software contributed by Frank Cusack
- * <fcusack@iconnet.net>.
+ * <fcusack@fcusack.com>.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -62,11 +62,15 @@
 static const char rcsid[] = "$Sudo$";
 #endif /* lint */
-char *realm = NULL;
+static int verify_krb_v5_tgt __P((krb5_context, krb5_ccache, char *));
-static int xrealm = 0;
+static struct _sudo_krb5_data {
-static krb5_context sudo_context = NULL;
+    krb5_context	sudo_context;
    krb5_principal	princ;
    krb5_ccache		ccache;
 } sudo_krb5_data = { NULL, NULL, NULL };
 typedef struct _sudo_krb5_data *sudo_krb5_datap;
-static int verify_krb_v5_tgt __P((krb5_ccache));
+extern krb5_cc_ops krb5_mcc_ops;
 int
 kerb5_init(pw, promptp, auth)
@@ -74,87 +78,153 @@ kerb5_init(pw, promptp, auth)
    char **promptp;
    sudo_auth *auth;
 {
-    char *lrealm;
+    krb5_context	sudo_context;
    krb5_ccache		ccache;
    krb5_principal	princ;
    krb5_error_code 	error;
-    extern int arg_prompt;
+    char		cache_name[64];
    char		*pname;
-    /* XXX - make these errors non-fatal for better fallback? */
+    auth->data = (VOID *) &sudo_krb5_data; /* Stash all our data here */
-    if (error = krb5_init_context(&sudo_context)) {
+
-	/* XXX - map error to error string? */
+    if (error = krb5_init_context(&(sudo_krb5_data.sudo_context))) {
 	log_error(NO_EXIT|NO_MAIL, 
-	    "unable to initialize Kerberos V context");
+		  "%s: unable to initialize context: %s", auth->name,
-	return(AUTH_FATAL);
+		  error_message(error));
 	return(AUTH_FAILURE);
    }
-    auth->data = (VOID *) &sudo_context; /* save a pointer to the context */
+    sudo_context = sudo_krb5_data.sudo_context;
-    krb5_init_ets(sudo_context);
+    if (error = krb5_parse_name(sudo_context, pw->pw_name,
-
+	&(sudo_krb5_data.princ))) {
    if (error = krb5_get_default_realm(sudo_context, &lrealm)) {
 	log_error(NO_EXIT|NO_MAIL, 
-	    "unable to get default Kerberos V realm");
+		  "%s: unable to parse '%s': %s", auth->name, pw->pw_name,
-	return(AUTH_FATAL);
+		  error_message(error));
 	return(AUTH_FAILURE);
    }
    princ = sudo_krb5_data.princ;
-    if (realm) {
+    /*
-	if (strcmp(realm, lrealm) != 0)
+     * Really, we need to tell the caller not to prompt for password.
-	    xrealm = 1;	/* User supplied realm is not the system default */
+     * The API does not currently provide this unless the auth is standalone.
-	free(lrealm);
+     */
-    } else
+#if 1
-	realm = lrealm;
+    if (error = krb5_unparse_name(sudo_context, princ, &pname)) {
 	log_error(NO_EXIT|NO_MAIL,
 		  "%s: unable to unparse princ ('%s'): %s", auth->name,
 		  pw->pw_name, error_message(error));
 	return(AUTH_FAILURE);
    }
    /* Only rewrite prompt if user didn't specify their own. */
-    if (user_prompt == NULL)
+    /*if (!strcmp(prompt, PASSPROMPT)) { */
-	easprintf(promptp, "Password for %s@%s: ", pw->pw_name, realm);
+	easprintf(promptp, "Password for %s: ", pname);
    /*}*/
    free(pname);
 #endif
    /* For CNS compatibility */
    if (error = krb5_cc_register(sudo_context, &krb5_mcc_ops, FALSE)) {
 	if (error != KRB5_CC_TYPE_EXISTS) {
 	    log_error(NO_EXIT|NO_MAIL, 
 		      "%s: unable to use Memory ccache: %s", auth->name,
 		      error_message(error));
 	    return(AUTH_FAILURE);
 	}
    }
    (void) snprintf(cache_name, sizeof(cache_name), "MEMORY:sudocc_%ld",
 		    (long) getpid());
    if (error = krb5_cc_resolve(sudo_context, cache_name,
 	&(sudo_krb5_data.ccache))) {
 	log_error(NO_EXIT|NO_MAIL, 
 		  "%s: unable to resolve ccache: %s", auth->name,
 		  error_message(error));
 	return(AUTH_FAILURE);
    }
    ccache = sudo_krb5_data.ccache;
    if (error = krb5_cc_initialize(sudo_context, ccache, princ)) {
 	log_error(NO_EXIT|NO_MAIL, 
 		  "%s: unable to initialize ccache: %s", auth->name,
 		  error_message(error));
 	return(AUTH_FAILURE);
    }
    return(AUTH_SUCCESS);
 }
 /* XXX - some of this should move into the init or setup function. */
 int
 kerb5_verify(pw, pass, auth)
    struct passwd *pw;
    char *pass;
    sudo_auth *auth;
 {
-    krb5_error_code	error;
+    krb5_context	sudo_context;
    krb5_principal	princ;
    krb5_creds		creds;
    krb5_ccache		ccache;
-    char		cache_name[64];
+    krb5_creds		creds;
-    char		*princ_name;
+    krb5_error_code	error;
    krb5_get_init_creds_opt opts;
    char		cache_name[64];
-    /* Initialize */
+    sudo_context = ((sudo_krb5_datap) auth->data)->sudo_context;
    princ = ((sudo_krb5_datap) auth->data)->princ;
    ccache = ((sudo_krb5_datap) auth->data)->ccache;
    /* Initialize options to defaults */
    krb5_get_init_creds_opt_init(&opts);
-    princ_name = emalloc(strlen(pw->pw_name) + strlen(realm) + 2);
+    /* Note that we always obtain a new TGT to verify the user */
-    (void) sprintf(princ_name, "%s@%s", pw->pw_name, realm);
+    if (error = krb5_get_init_creds_password(sudo_context, &creds, princ,
-    if (krb5_parse_name(sudo_context, princ_name, &princ))
+					     pass, krb5_prompter_posix,
 					     NULL, 0, NULL, &opts)) {
 	if (error == KRB5KRB_AP_ERR_BAD_INTEGRITY) /* Bad password */
 	    return(AUTH_FAILURE);
-
+	/* Some other error */
-    /* Set the ticket file to be in /tmp so we don't need to change perms. */
+	log_error(NO_EXIT|NO_MAIL, 
-    /* XXX - potential /tmp race? */
+		  "%s: unable to get credentials: %s", auth->name,
-    (void) snprintf(cache_name, sizeof(cache_name), "FILE:/tmp/sudocc_%ld",
+		  error_message(error));
 	(long) getpid());
    if (krb5_cc_resolve(sudo_context, cache_name, &ccache)
 	return(AUTH_FAILURE);
    if (krb5_get_init_creds_password(sudo_context, &creds, princ, pass,
 	krb5_prompter_posix, NULL, 0, NULL, &opts))
 	return(AUTH_FAILURE);
    /* Stash the TGT so we can verify it. */
    if (krb5_cc_initialize(sudo_context, ccache, princ))
 	return(AUTH_FAILURE);
    if (krb5_cc_store_cred(sudo_context, ccache, &creds)) {
 	(void) krb5_cc_destroy(sudo_context, ccache);
 	return(AUTH_FAILURE);
    }
-    error = verify_krb_v5_tgt(ccache);
+    /* Stash the TGT so we can verify it. */
-    (void) krb5_cc_destroy(sudo_context, ccache);
+    if (error = krb5_cc_store_cred(sudo_context, ccache, &creds)) {
 	log_error(NO_EXIT|NO_MAIL, 
 		  "%s: unable to store credentials: %s", auth->name,
 		  error_message(error));
    } else {
 	error = verify_krb_v5_tgt(sudo_context, ccache, auth->name);
    }
    krb5_free_cred_contents(sudo_context, &creds);
    return (error ? AUTH_FAILURE : AUTH_SUCCESS);
 }
 int
 kerb5_cleanup(pw, auth)
    struct passwd *pw;
    sudo_auth *auth;
 {
    krb5_context	sudo_context;
    krb5_principal	princ;
    krb5_ccache		ccache;
    sudo_context = ((sudo_krb5_datap) auth->data)->sudo_context;
    princ = ((sudo_krb5_datap) auth->data)->princ;
    ccache = ((sudo_krb5_datap) auth->data)->ccache;
    if (sudo_context) {
 	if (ccache)
 	    krb5_cc_destroy(sudo_context, ccache);
 	if (princ)
 	    krb5_free_principal(sudo_context, princ);
 	krb5_free_context(sudo_context);
    }
    return(AUTH_SUCCESS);
 }
 /*
 * This routine with some modification is from the MIT V5B6 appl/bsd/login.c
 *
@@ -162,19 +232,23 @@ kerb5_verify(pw, pass, auth)
 * user.  If the Kerberos server doesn't respond, assume the user is
 * trying to fake us out (since we DID just get a TGT from what is
 * supposedly our KDC). If the host/<host> service is unknown (i.e.,
- * the local keytab doesn't have it), let her in.
+ * the local keytab doesn't have it), return success but log the error.
 *
 * This needs to run as root (to read the host service ticket).
 *
 * Returns 0 for successful authentication, non-zero for failure.
 */
 static int
-verify_krb_v5_tgt(ccache)
+verify_krb_v5_tgt(sudo_context, ccache, auth_name)
    krb5_context	sudo_context;
    krb5_ccache		ccache;
    char		*auth_name; /* For error reporting */
 {
    char		phost[BUFSIZ];
    krb5_error_code	error;
    krb5_principal	princ;
    krb5_keyblock *	keyblock = 0;
    krb5_data		packet;
    krb5_keyblock	*keyblock = 0;
    krb5_auth_context	auth_context = NULL;
    packet.data = 0;
@@ -183,12 +257,17 @@ verify_krb_v5_tgt(ccache)
     * Get the server principal for the local host.
     * (Use defaults of "host" and canonicalized local name.)
     */
-    if (krb5_sname_to_principal(sudo_context, NULL, NULL,
+    if (error = krb5_sname_to_principal(sudo_context, NULL, NULL,
-				KRB5_NT_SRV_HST, &princ))
+					KRB5_NT_SRV_HST, &princ)) {
 	log_error(NO_EXIT|NO_MAIL, 
 		  "%s: unable to get host principal: %s", auth_name,
 		  error_message(error));
 	return(-1);
    }
-    /* Extract the name directly. */
+    /* Extract the name directly. Yow. */
-    strncpy(phost, krb5_princ_component(c, princ, 1)->data, sizeof(phost) - 1);
+    strncpy(phost, krb5_princ_component(sudo_context, princ, 1)->data,
 	    sizeof(phost) - 1);
    phost[sizeof(phost) - 1] = '\0';
    /*
@@ -199,6 +278,10 @@ verify_krb_v5_tgt(ccache)
    if (error = krb5_kt_read_service_key(sudo_context, NULL, princ, 0,
 					 ENCTYPE_DES_CBC_MD5, &keyblock)) {
 	/* Keytab or service key does not exist. */
 	log_error(NO_EXIT,
 		  "%s: host service key not found: %s", auth_name,
 		  error_message(error));
 	error = 0;
 	goto cleanup;
    }
    if (keyblock)
@@ -221,5 +304,9 @@ cleanup:
 	krb5_free_data_contents(sudo_context, &packet);
    krb5_free_principal(sudo_context, princ);
    if (error)
 	log_error(NO_EXIT|NO_MAIL, 
 		  "%s: Cannot verify TGT! Possible attack!: %s", auth_name,
 		  error_message(error));
    return(error);
 }
--- a/auth/sudo_auth.c
+++ b/auth/sudo_auth.c
@@ -80,7 +80,7 @@ sudo_auth auth_switch[] = {
    AUTH_ENTRY(0, "kerb4", kerb4_init, NULL, kerb4_verify, NULL)
 #  endif
 #  ifdef HAVE_KERB5
-    AUTH_ENTRY(0, "kerb5", kerb5_init, NULL, kerb5_verify, NULL)
+    AUTH_ENTRY(0, "kerb5", kerb5_init, NULL, kerb5_verify, kerb5_cleanup)
 #  endif
 #  ifdef HAVE_SKEY
    AUTH_ENTRY(0, "S/Key", NULL, rfc1938_setup, rfc1938_verify, NULL)
--- a/auth/sudo_auth.h
+++ b/auth/sudo_auth.h
@@ -88,6 +88,7 @@ int kerb4_init __P((struct passwd *pw, char **prompt, sudo_auth *auth));
 int kerb4_verify __P((struct passwd *pw, char *pass, sudo_auth *auth));
 int kerb5_init __P((struct passwd *pw, char **prompt, sudo_auth *auth));
 int kerb5_verify __P((struct passwd *pw, char *pass, sudo_auth *auth));
 int kerb5_cleanup __P((struct passwd *pw, sudo_auth *auth));
 int securid_init __P((struct passwd *pw, char **prompt, sudo_auth *auth));
 int securid_setup __P((struct passwd *pw, char **prompt, sudo_auth *auth));
 int securid_verify __P((struct passwd *pw, char *pass, sudo_auth *auth));
--- a/146
+++ b/146
@@ -7662,58 +7662,32 @@ fi
 fi
 if test "$with_kerb5" = "yes"; then
                    echo $ac_n "checking for krb5_get_init_creds_opt in -lkrb5""... $ac_c" 1>&6
 echo "configure:7667: checking for krb5_get_init_creds_opt in -lkrb5" >&5
 if test -n ""; then
  ac_lib_var=`echo krb5'_'krb5_get_init_creds_opt | sed 'y% ./+-%___p_%'`
 else
  ac_lib_var=`echo krb5'_'krb5_get_init_creds_opt | sed 'y%./+-%__p_%'`
 fi
 if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
  echo $ac_n "(cached) $ac_c" 1>&6
 else
  ac_save_LIBS="$LIBS"
 LIBS="-lkrb5  $LIBS"
 cat > conftest.$ac_ext <<EOF
 #line 7679 "configure"
 #include "confdefs.h"
 /* Override any gcc2 internal prototype to avoid an error.  */
 /* We use char because int might match the return type of a gcc2
    builtin and then its argument prototype would still apply.  */
 char krb5_get_init_creds_opt();
 int main() {
 krb5_get_init_creds_opt()
 ; return 0; }
 EOF
 if { (eval echo configure:7690: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then
  rm -rf conftest*
  eval "ac_cv_lib_$ac_lib_var=yes"
 else
  echo "configure: failed program was:" >&5
  cat conftest.$ac_ext >&5
  rm -rf conftest*
  eval "ac_cv_lib_$ac_lib_var=no"
 fi
 rm -f conftest*
 LIBS="$ac_save_LIBS"
 fi
 if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
  echo "$ac_t""yes" 1>&6
    cat >> confdefs.h <<\EOF
 #define HAVE_KERB5 1
 EOF
-	SUDO_LIBS="${SUDO_LIBS} -lkrb5 -lk5crypto -lcom_err"
+    if test -f "/usr/local/include/krb5.h"; then
-	AUTH_OBJS="${AUTH_OBJS} kerb5.o"
+	CPPFLAGS="$CPPFLAGS -I/usr/local/include"
-    
+    elif test -f "/usr/local/kerberos/include/krb5.h"; then
 	CPPFLAGS="$CPPFLAGS -I/usr/local/kerberos/include"
    elif test -f "/usr/local/krb5/include/krb5.h"; then
 	CPPFLAGS="$CPPFLAGS -I/usr/local/krb5/include"
    else
-  echo "$ac_t""no" 1>&6
+	echo 'Unable to locate kerberos 5 include files, you will have to edit the Makefile and add -I/path/to/krb/includes to CPPFLAGS'
 with_kerb4=yes
    fi
    if test -f "/usr/local/lib/libkrb5.a"; then
 	SUDO_LDFLAGS="${SUDO_LDFLAGS} -L/usr/local/lib"
    elif test -f "/usr/local/kerberos/lib/libkrb5.a"; then
 	SUDO_LDFLAGS="${SUDO_LDFLAGS} -L/usr/local/kerberos/lib"
    elif test -f "/usr/local/krb5/lib/libkrb5.a"; then
 	SUDO_LDFLAGS="${SUDO_LDFLAGS} -L/usr/local/krb5/lib"
    else
 	echo 'Unable to locate kerberos 5 libraries, you will have to edit the Makefile and add -L/path/to/krb/libs to SUDO_LDFLAGS'
    fi
    SUDO_LIBS="${SUDO_LIBS} -lkrb5 -lk5crypto -lcom_err"
    AUTH_OBJS="${AUTH_OBJS} kerb5.o"
 fi
 if test "$with_kerb4" = "yes"; then
@@ -7743,93 +7717,22 @@ EOF
 	echo 'Unable to locate kerberos 4 libraries, you will have to edit the Makefile and add -L/path/to/krb/libs to SUDO_LDFLAGS'
    fi
    if test "$with_kerb5" = "yes"; then
 	echo $ac_n "checking for -lkrb4""... $ac_c" 1>&6
 echo "configure:7749: checking for -lkrb4" >&5
 if eval "test \"`echo '$''{'ac_cv_lib_krb4'+set}'`\" = set"; then
  echo $ac_n "(cached) $ac_c" 1>&6
 else
  ac_save_LIBS="$LIBS"
 LIBS="-lkrb4  $LIBS"
 cat > conftest.$ac_ext <<EOF
 #line 7756 "configure"
 #include "confdefs.h"
 int main() {
 main()
 ; return 0; }
 EOF
 if { (eval echo configure:7763: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then
  rm -rf conftest*
  ac_cv_lib_krb4=yes
 else
  echo "configure: failed program was:" >&5
  cat conftest.$ac_ext >&5
  rm -rf conftest*
  ac_cv_lib_krb4=no
 fi
 rm -f conftest*
 LIBS="$ac_save_LIBS"
 fi
 echo "$ac_t""$ac_cv_lib_krb4" 1>&6
 if test "$ac_cv_lib_krb4" = yes; then
  SUDO_LIBS="${SUDO_LIBS} -lkrb4"
 else
  SUDO_LIBS="${SUDO_LIBS} -lkrb"
 fi
    echo $ac_n "checking for -ldes""... $ac_c" 1>&6
-echo "configure:7784: checking for -ldes" >&5
+echo "configure:7722: checking for -ldes" >&5
 if eval "test \"`echo '$''{'ac_cv_lib_des'+set}'`\" = set"; then
  echo $ac_n "(cached) $ac_c" 1>&6
 else
  ac_save_LIBS="$LIBS"
 LIBS="-ldes  $LIBS"
 cat > conftest.$ac_ext <<EOF
-#line 7791 "configure"
+#line 7729 "configure"
 #include "confdefs.h"
 int main() {
 main()
 ; return 0; }
 EOF
-if { (eval echo configure:7798: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then
+if { (eval echo configure:7736: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then
  rm -rf conftest*
  ac_cv_lib_des=yes
 else
  echo "configure: failed program was:" >&5
  cat conftest.$ac_ext >&5
  rm -rf conftest*
  ac_cv_lib_des=no
 fi
 rm -f conftest*
 LIBS="$ac_save_LIBS"
 fi
 echo "$ac_t""$ac_cv_lib_des" 1>&6
 if test "$ac_cv_lib_des" = yes; then
  SUDO_LIBS="${SUDO_LIBS} -ldes"
 fi
 	SUDO_LIBS="${SUDO_LIBS} -ldes425 -lkrb5 -lcrypto -lcom_err"
    else
 	echo $ac_n "checking for -ldes""... $ac_c" 1>&6
 echo "configure:7819: checking for -ldes" >&5
 if eval "test \"`echo '$''{'ac_cv_lib_des'+set}'`\" = set"; then
  echo $ac_n "(cached) $ac_c" 1>&6
 else
  ac_save_LIBS="$LIBS"
 LIBS="-ldes  $LIBS"
 cat > conftest.$ac_ext <<EOF
 #line 7826 "configure"
 #include "confdefs.h"
 int main() {
 main()
 ; return 0; }
 EOF
 if { (eval echo configure:7833: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then
  rm -rf conftest*
  ac_cv_lib_des=yes
 else
@@ -7851,7 +7754,6 @@ fi
    AUTH_OBJS="${AUTH_OBJS} kerb4.o"
 fi
 fi
 if test "$with_pam" = "yes"; then
    SUDO_LIBS="${SUDO_LIBS} -ldl -lpam"
@@ -7953,7 +7855,7 @@ if test "$with_authenticate" = "yes"; then
 fi
 echo $ac_n "checking for log file location""... $ac_c" 1>&6
-echo "configure:7957: checking for log file location" >&5
+echo "configure:7859: checking for log file location" >&5
 if test -n "$with_logpath"; then
    echo "$ac_t""$with_logpath" 1>&6
    cat >> confdefs.h <<EOF
@@ -7983,7 +7885,7 @@ else
 fi
 echo $ac_n "checking for timestamp file location""... $ac_c" 1>&6
-echo "configure:7987: checking for timestamp file location" >&5
+echo "configure:7889: checking for timestamp file location" >&5
 if test -n "$with_timedir"; then
    echo "$ac_t""$with_timedir" 1>&6
    cat >> confdefs.h <<EOF
--- a/configure.in
+++ b/configure.in
@@ -1467,15 +1467,29 @@ dnl
 dnl Kerberos 5
 dnl
 if test "$with_kerb5" = "yes"; then
    dnl
    dnl Starting with Kerberos 5, 1.1 we use the new creds API
    dnl Otherwise, just use the old Kerberos 4 stuff.
    dnl
    AC_CHECK_LIB(krb5, krb5_get_init_creds_opt, [
    AC_DEFINE(HAVE_KERB5)
    if test -f "/usr/local/include/krb5.h"; then
 	CPPFLAGS="$CPPFLAGS -I/usr/local/include"
    elif test -f "/usr/local/kerberos/include/krb5.h"; then
 	CPPFLAGS="$CPPFLAGS -I/usr/local/kerberos/include"
    elif test -f "/usr/local/krb5/include/krb5.h"; then
 	CPPFLAGS="$CPPFLAGS -I/usr/local/krb5/include"
    else
 	echo 'Unable to locate kerberos 5 include files, you will have to edit the Makefile and add -I/path/to/krb/includes to CPPFLAGS'
    fi
    if test -f "/usr/local/lib/libkrb5.a"; then
 	SUDO_LDFLAGS="${SUDO_LDFLAGS} -L/usr/local/lib"
    elif test -f "/usr/local/kerberos/lib/libkrb5.a"; then
 	SUDO_LDFLAGS="${SUDO_LDFLAGS} -L/usr/local/kerberos/lib"
    elif test -f "/usr/local/krb5/lib/libkrb5.a"; then
 	SUDO_LDFLAGS="${SUDO_LDFLAGS} -L/usr/local/krb5/lib"
    else
 	echo 'Unable to locate kerberos 5 libraries, you will have to edit the Makefile and add -L/path/to/krb/libs to SUDO_LDFLAGS'
    fi
    SUDO_LIBS="${SUDO_LIBS} -lkrb5 -lk5crypto -lcom_err"
    AUTH_OBJS="${AUTH_OBJS} kerb5.o"
    ], with_kerb4=yes)
 fi
 dnl
@@ -1505,15 +1519,9 @@ if test "$with_kerb4" = "yes"; then
 	echo 'Unable to locate kerberos 4 libraries, you will have to edit the Makefile and add -L/path/to/krb/libs to SUDO_LDFLAGS'
    fi
    if test "$with_kerb5" = "yes"; then
 	AC_HAVE_LIBRARY(krb4, SUDO_LIBS="${SUDO_LIBS} -lkrb4", SUDO_LIBS="${SUDO_LIBS} -lkrb")
 	AC_HAVE_LIBRARY(des, SUDO_LIBS="${SUDO_LIBS} -ldes")
 	SUDO_LIBS="${SUDO_LIBS} -ldes425 -lkrb5 -lcrypto -lcom_err"
    else
    AC_HAVE_LIBRARY(des, SUDO_LIBS="${SUDO_LIBS} -lkrb -ldes", SUDO_LIBS="${SUDO_LIBS} -lkrb")
    AUTH_OBJS="${AUTH_OBJS} kerb4.o"
 fi
 fi
 dnl
 dnl PAM libs
--- a/sudo.c
+++ b/sudo.c
@@ -556,9 +556,6 @@ parse_args()
 {
    int rval = MODE_RUN;		/* what mode is suod to be run in? */
    int excl = 0;			/* exclusive arg, no others allowed */
 #ifdef HAVE_KERB5
    extern char *realm;			/* kerb5 realm (may be user-specified */
 #endif /* HAVE_KERB5 */
    NewArgv = Argv + 1;
    NewArgc = Argc - 1;
@@ -578,19 +575,6 @@ parse_args()
 	}
 	switch (NewArgv[0][1]) {
 #ifdef HAVE_KERB5
 	    case 'r':
 		/* Must have an associated realm. */
 		if (NewArgv[1] == NULL)
 		    usage(1);
 		realm = NewArgv[1];
 		/* Shift Argv over and adjust Argc. */
 		NewArgc--;
 		NewArgv++;
 		break;
 #endif /* HAVE_KERB5 */
 	    case 'p':
 		/* Must have an associated prompt. */
 		if (NewArgv[1] == NULL)
@@ -1035,9 +1019,6 @@ usage(exit_val)
    (void) fprintf(stderr,
 	"usage: %s -V | -h | -L | -l | -v | -k | -K | -H | [-b] [-p prompt]\n%*s",
 	Argv[0], (int) strlen(Argv[0]) + 8, " ");
 #ifdef HAVE_KERB5
    (void) fprintf(stderr, "[-r realm] ");
 #endif /* HAVE_KERB5 */
    (void) fprintf(stderr, "[-u username/#uid] -s | <command>\n");
    exit(exit_val);
 }