* ksu.M: Document authorization changes

	* ksu.1: Remove as was out of date.

	* Makefile.in (DEFINES): Remove LOCAL_REALM definition.

	* ksu.h: Remove local_realm from krb5_authorization.

	* authorization.c (krb5_authorization): Remove old copied code
		that is in krb5 library and is out of date. Use the
		configurable aname to localname methods.

	* main.c (main): Add krb5_secure_config_files so that users cannot
		override system config files.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@6943 dc483132-0cff-0310-8789-dd5450dbe970

7 files changed, 35 insertions, 646 deletions

diff --git a/src/clients/ksu/ChangeLog b/src/clients/ksu/ChangeLog
index 0c2b63748a..9ec6eddc75 100644
--- a/src/clients/ksu/ChangeLog
+++ b/src/clients/ksu/ChangeLog
@@ -1,3 +1,21 @@
+Thu Oct  5 11:23:21 1995  Ezra Peisach  <epeisach@kangaroo.mit.edu>
+
+	* ksu.M: Document authorization changes.
+
+	* ksu.1: Remove as was out of date.
+
+	* Makefile.in (DEFINES): Remove LOCAL_REALM definition.
+
+	* ksu.h: Remove local_realm from krb5_authorization.
+
+	* authorization.c (krb5_authorization): Remove old copied code
+		that is in krb5 library and is out of date. Use the
+		configurable aname to localname methods.
+
+	* main.c (main): Add krb5_secure_config_files so that users cannot
+		override system config files.
+	
+
 Wed Sep 06 14:20:57 1995   Chris Provenzano (proven@mit.edu)
 
         * krb_auth_su.c : s/keytype/enctype/g, s/KEYTYPE/ENCTYPE/g
diff --git a/src/clients/ksu/Makefile.in b/src/clients/ksu/Makefile.in
index 43a3125651..f58c699a11 100644
--- a/src/clients/ksu/Makefile.in
+++ b/src/clients/ksu/Makefile.in
@@ -1,4 +1,4 @@
-DEFINES = -DLOCAL_REALM='"."' -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"'
+DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"'
 CFLAGS = $(CCOPTS) $(DEFINES) $(DEFS) $(LOCALINCLUDE)
 
 SRCS = \
@@ -24,4 +24,4 @@ clean::
 
 install::
 	$(INSTALL_SETUID) ksu ${DESTDIR}$(CLIENT_BINDIR)/ksu
-	$(INSTALL_DATA) $(srcdir)/ksu.1 ${DESTDIR}$(CLIENT_MANDIR)/ksu.1
+	$(INSTALL_DATA) $(srcdir)/ksu.M ${DESTDIR}$(CLIENT_MANDIR)/ksu.1
diff --git a/src/clients/ksu/authorization.c b/src/clients/ksu/authorization.c
index c5ca25454f..ec2dce8cf6 100644
--- a/src/clients/ksu/authorization.c
+++ b/src/clients/ksu/authorization.c
@@ -27,10 +27,6 @@
 
 #include "ksu.h"
 
-static krb5_error_code _dbm_an_to_ln PROTOTYPE((krb5_context, 
-		     krb5_const_principal, const int, char *));
-static krb5_error_code _username_an_to_ln PROTOTYPE((krb5_context,
-		     krb5_const_principal, const int, char *, char *));
 static void auth_cleanup PROTOTYPE((int, FILE *, int, FILE *, char *));
 
 krb5_boolean fowner(fp, uid)
@@ -64,13 +60,12 @@ return(TRUE);
  *
  */
 
-krb5_error_code krb5_authorization(context, principal, luser, local_realm_name,
+krb5_error_code krb5_authorization(context, principal, luser,
 				   cmd, ok, out_fcmd)
     /* IN */
     krb5_context context;
     krb5_principal principal;
     const char *luser;
-    char *local_realm_name;
     char *cmd;
     /* OUT */
     krb5_boolean *ok;
@@ -181,44 +176,14 @@ krb5_error_code krb5_authorization(context, principal, luser, local_realm_name,
     if ( k5login_flag && k5users_flag){
 
 	char * kuser =  (char *) calloc (strlen(princname), sizeof(char));
-
-#ifdef DEBUG 	
-	printf("krb5_lname_file %s\n", krb5_lname_file); 
-#endif
-
-	if (!stat(krb5_lname_file, &statbuf)){
-		if ((! _dbm_an_to_ln(context, principal, strlen(princname), kuser)) &&
-	 			     (strcmp(kuser, luser) == 0)){
-			retbool = TRUE; /* found the right one in db */
-		}
+	if (!(krb5_aname_to_localname(context, principal,
+				      strlen(princname), kuser))
+	    && (strcmp(kuser, luser) == 0)) {
+	    retbool = TRUE;
 	}
-	
-	if (local_realm_name && (retbool == FALSE)){ 
-		char * realm;	
-		int used_def = 0;
-
-		if (!strcmp(local_realm_name, USE_DEFAULT_REALM_NAME)){
-
-    			if (retval = krb5_get_default_realm(context, &realm)) {
-				auth_cleanup(k5users_flag,users_fp,
-					k5login_flag,login_fp, princname); 
-				free(kuser);
-				return(retval);
-    			}
-			used_def =1;
-		}
-		else{ realm = local_realm_name; }
-
-		if((! _username_an_to_ln(context, principal, strlen(princname),
-					 kuser, realm)) 
-		    && (strcmp(kuser,luser) == 0)){
-			retbool = TRUE;
-		}
 
-		if (used_def) free (realm); 
-	}
 	free(kuser);
-    }
+   }
 	 
    *ok =retbool;	
    auth_cleanup(k5users_flag,users_fp, k5login_flag,login_fp, princname); 
@@ -730,106 +695,6 @@ char * lptr, * out_ptr;
 return out_ptr;
 }
 
-/********************************************************************
- * Implementation:  This version uses a DBM database, indexed by aname,
- * to generate a lname.
- *
- * The entries in the database are normal C strings, and include the trailing
- * null in the DBM datum.size.
- ********************************************************************/
-static krb5_error_code
-_dbm_an_to_ln(context, aname, lnsize, lname)
-    krb5_context context;
-    krb5_const_principal aname;
-    const int lnsize;
-    char *lname;
-{
-    DBM *db;
-    krb5_error_code retval;
-    datum key, contents;
-    char *princ_name;
-
-    if (retval = krb5_unparse_name(context, aname, &princ_name))
-	return(retval);
-    key.dptr = princ_name;
-    key.dsize = strlen(princ_name)+1;	/* need to store the NULL for
-					   decoding */
-
-    db = dbm_open(krb5_lname_file, O_RDONLY, 0600);
-    if (!db) {
-	krb5_xfree(princ_name);
-	return KRB5_LNAME_CANTOPEN;
-    }
-
-    contents = dbm_fetch(db, key);
-
-    krb5_xfree(princ_name);
-
-    if (contents.dptr == NULL) {
-	retval = KRB5_LNAME_NOTRANS;
-    } else {
-	strncpy(lname, contents.dptr, lnsize);
-	if (lnsize < contents.dsize)
-	    retval = KRB5_CONFIG_NOTENUFSPACE;
-	else if (lname[contents.dsize-1] != '\0')
-	    retval = KRB5_LNAME_BADFORMAT;
-	else
-	    retval = 0;
-    }
-    /* can't close until we copy the contents. */
-    (void) dbm_close(db);
-    return retval;
-}
-
-/*****************************************************************
- * Implementation:  This version checks the realm to see if it is the 
- * realm passed in; if so, and there is exactly one non-realm 
- * component to the name, that name is returned as the lname.
- ************************************************************/
-
-static krb5_error_code
-_username_an_to_ln (context, aname, lnsize, lname, realm)
-    krb5_context context;
-    krb5_const_principal aname;
-    const int lnsize;
-    char *lname;
-    char *realm;
-{
-    krb5_error_code retval;
-    int realm_length;
-
-    realm_length = krb5_princ_realm(context, aname)->length;
-    
-    if ((realm_length != strlen(realm)) ||
-        (memcmp(realm, krb5_princ_realm(context, aname)->data, realm_length))) {
-        return KRB5_LNAME_NOTRANS;
-    }
-
-    if (krb5_princ_size(context, aname) != 1) {
-        if (krb5_princ_size(context, aname) == 2 ) {
-           /* Check to see if 2nd component is the local realm. */
-           if ( strncmp(krb5_princ_component(context, aname,1)->data,realm,
-                        realm_length) ||
-                realm_length != krb5_princ_component(context, aname,1)->length)
-                return KRB5_LNAME_NOTRANS;
-        }
-        else
-           /* no components or more than one component to non-realm part of name
-           --no translation. */
-            return KRB5_LNAME_NOTRANS;
-    }
-
-    strncpy(lname, krb5_princ_component(context, aname,0)->data, 
-	    min(krb5_princ_component(context, aname,0)->length,lnsize));
-    if (lnsize < krb5_princ_component(context, aname,0)->length ) {
-	retval = KRB5_CONFIG_NOTENUFSPACE;
-    } else {
-	lname[krb5_princ_component(context, aname,0)->length] = '\0';
-	retval = 0;
-    }
-    return retval;
-}
-
 static void auth_cleanup(k5users_flag, users_fp, k5login_flag,
 			 login_fp, princname)
     int k5users_flag;
diff --git a/src/clients/ksu/ksu.1 b/src/clients/ksu/ksu.1
deleted file mode 100644
index eb5e61dc60..0000000000
--- a/src/clients/ksu/ksu.1
+++ /dev/null
@@ -1,480 +0,0 @@
-.\" Copyright (c) 1994 by the University of Southern California
-.\"
-.\" EXPORT OF THIS SOFTWARE from the United States of America may
-.\"     require a specific license from the United States Government.
-.\"     It is the responsibility of any person or organization contemplating
-.\"     export to obtain such a license before exporting.
-.\"
-.\" WITHIN THAT CONSTRAINT, permission to copy, modify, and distribute
-.\"     this software and its documentation in source and binary forms is
-.\"     hereby granted, provided that any documentation or other materials
-.\"     related to such distribution or use acknowledge that the software
-.\"     was developed by the University of Southern California. 
-.\"
-.\" DISCLAIMER OF WARRANTY.  THIS SOFTWARE IS PROVIDED "AS IS".  The
-.\"     University of Southern California MAKES NO REPRESENTATIONS OR
-.\"     WARRANTIES, EXPRESS OR IMPLIED.  By way of example, but not
-.\"     limitation, the University of Southern California MAKES NO
-.\"     REPRESENTATIONS OR WARRANTIES OF MERCHANTABILITY OR FITNESS FOR ANY
-.\"     PARTICULAR PURPOSE. The University of Southern
-.\"     California shall not be held liable for any liability nor for any
-.\"     direct, indirect, or consequential damages with respect to any
-.\"     claim by the user or distributor of the ksu software.
-.\"
-.\" KSU was writen by:  Ari Medvinsky, ari@isi.edu
-.TH KSU 1 "Kerberos Version 5.3" 
-.SH NAME
-ksu \- Kerberized super-user    	
-.SH SYNOPSIS
-.B ksu 
-[
-.I target_user
-] [
-.B \-n
-.I target_principal_name 
-] [
-.B \-c
-.I source_cache_name
-] [
-.B \-C
-.I target_cache_name
-] [
-.B \-k
-] [
-.B \-D
-] [
-.B \-r
-.I time
-] [
-.B \-pf
-] [
-.B \-l 
-.I lifetime
-] [
-.B \-zZ
-] [
-.B \-e
-.I command
-[
-.I args ...
-] ] [
-.B \-a 
-[
-.I args ...
-] ] 
-.br
-.SH REQUIREMENTS
-Must have Kerberos version 5 installed, to compile ksu.
-Must have a Kerberos version 5 server running to use ksu.
-.br
-.SH DESCRIPTION
-.I ksu
-is a Kerberized version of the su program that has two missions:
-one is to securely change the real and effective user ID to that
-of the target user, the other is to create a new security context.
-For the sake of clarity all references to, and attributes of
-the user invoking the program will start with 'source' (e.g.
-source user, source cache, etc.).  Likewise all references
-to and attributes of the target account, will start with 'target'.
-.br
-.SH AUTHENTICATION
-To fulfill the first mission, ksu operates in two phases: authentication
-and authorization.  Resolving the target principal name is the
-first step in authentication.  The user
-can either specify his principal name with the
-.B \-n
-option
-(e.g.
-.B \-n
-jqpublic@USC.EDU) or a default principal name will be assigned
-using a heuristic described in the OPTIONS section (see
-.B \-n
-option).
-The target user name must be the first argument to ksu, if not specified
-root is the default.  If the source user is root no authentication
-or authorization takes place.  Otherwise, ksu looks for an appropriate
-Kerberos ticket in the source cache.
-.PP
-The ticket can either be for
-the end-server
-or a ticket granting ticket (TGT) for the target principal's realm.  If the
-ticket for the end server is already in the cache, it's, decrypted and
-verified.  If it's not in the cache but the TGT is, TGT is used to
-obtain the ticket for the end-server.   The end-server ticket is then
-verified.  If neither ticket is in the cache, but ksu is compiled
-with the GET_TGT_VIA_PASSWD define, the user will be prompted
-for a Kerberos password which will then be used to get a TGT.
-If the user is logged in remotely and
-does not have a secure channel, the password may be exposed.
-If neither ticket is in the cache and GET_TGT_VIA_PASSWD is not defined,
-authentication fails.
-.br
-.SH AUTHORIZATION
-This section describes authorization of the source user when ksu
-is invoked without the
-.B \-e
-option.
-For a description of the
-.B \-e
-option, see the OPTIONS section.
-.PP
-Upon successful authentication, ksu checks whether the target principal
-is authorized to access the target account.
-In the target user's home directory, ksu attempts to access
-two authorization files: .k5login and .k5users.  In the .k5login  
-file each line contains the name of a
-principal that is authorized to access the account.
-.TP 12
-For example:
-jqpublic@USC.EDU
-.br
-jqpublic/secure@USC.EDU
-.br
-jqpublic/admin@USC.EDU
-.PP
-The format of .k5users is the same, accept the
-principal name may be followed by a list of commands that
-the principal is authorized to execute. (see the
-.B \-e
-option in the OPTIONS section for details).
-.PP
-Thus if the target principal
-name is found in the .k5login file the source user is authorized to access
-the target account. Otherwise ksu looks in the .k5users file.
-If the target principal name is found without any trailing commands
-or followed only by '*' then the source user is authorized.  
-If either .k5login or .k5users exist but an appropriate entry for the target
-principal does not exist then access is denied. If neither
-file exists then a database of local principal names is
-consulted.(the name of this database is defined in Kerberos osconf.h
-file by DEFAULT_LNAME_FILENAME macro). If the target principal name is
-found then the source user is authorized to access the account.
-If it's not found, and ksu was compiled with LOCAL_REALM macro undefined,
-authorization fails. If LOCAL_REALM is defined, and it matches
-the target principal's realm and the first component of the
-target principal name translates to the target account name then
-authorization is successful.  Otherwise, authorization fails.
-.br
-.SH EXECUTION OF THE TARGET SHELL
-Upon successful authentication and authorization, ksu
-proceeds in a similar fashion to su.  The environment
-is unmodified with the exception of USER, HOME and SHELL variables.
-If the target user is not root, USER gets set to the target user
-name. Otherwise USER remains unchanged. Both HOME and SHELL are
-set to the target login's default values.
-In addition, the environment variable KRB5CCNAME gets set to the
-name of the target cache.
-The real and effective user ID are changed to that of the
-target user.  The target user's shell is then invoked
-(the shell name is specified in the password file).
-Upon termination of the shell, ksu deletes the target cache (unless
-ksu is invoked with
-.B \-k
- or '
-.B \-C .' options).
-This is implemented by first doing a fork and then an exec, instead
-of just exec, as done by su.
-.br
-.SH CREATING A NEW SECURITY CONTEXT
-.PP
-Ksu can be used to create a new security context for the
-target program (either the target
-shell, or command specified via the -e option).
-The target program inherits a set
-of credentials from the source user.
-By default, this set includes all of the credentials
-in the source cache plus any
-additional credentials obtained during authentication.
-The source user is able to limit the credentials in this set
-by using -z or -Z option.
--z restricts the copy of tickets from the source cache
-to the target cache to only the tickets where client ==
-the target principal name.  The -Z option
-provides the target user with a fresh target cache
-(no creds in the cache). Note that for security reasons,
-when the source user is root and target user is non-root,
--z option is the default mode of operation.  In this
-case if -n is specified and no credentials can be copied
-to the target cache, the source user is prompted for
-a Kerberos password (unless -Z specified or GET_TGT_VIA_PASSWD is
-undefined). If successful, a TGT is obtained
-from the Kerberos server and stored in the target cache.
-Otherwise, ksu continues in a normal mode of operation, but
-the destination cache will remain empty.
-.PP
-\fISide Note:\fP during authentication, only the tickets that could be
-obtained without providing a password are cached in
-in the source cache.
-.SH OPTIONS
-.TP 10
-\fB\-n \fItarget_principal_name
-Specify a Kerberos target principal name.
-Used in authentication and authorization
-phases of ksu.
-
-If ksu is invoked without
-.B \-n,
-a default principal name is
-assigned via the following heuristic:
-
-\fICase 1:\fP source user is non-root.
-.br
-If neither ~/target_user/.k5users
-nor ~/target_user/.k5login exist then
-the default principal name is
-target_user_login_name@local_realm. Otherwise,
-starting with the first principal listed below,
-ksu checks if the principal is authorized
-to  access the target account and whether
-there is a legitimate ticket for that principal
-in the source cache. If both conditions are met
-that principal becomes the default target principal,
-otherwise go to the next principal.
-
-a) default principal of the source cache
-.br
-b) target_user@local_realm
-.br
-c) source_user@local_realm
-
-If a-c fails try any principal for which there is
-a ticket in the source cache and that is
-authorized to access the target account.
-If that fails select the first principal that
-is authorized to access the target account from
-the following list:
-
-a) default principal of the source cache
-.br
-b) if ksu is configured with PRINC_LOOK_AHEAD
-.br
-   turned on, the principal with the same
-.br
-   realm name as a) and has the first part
-.br
-   of the principal name equal to prefix of a).
-.br
-c) target_user@local_realm
-.br
-d) source_user@local_realm
-
-If all fails select the first authorized principal
-(from .k5login, .k5users file).  	
-
-\fICase 2:\fP source user is root.
-.br
-If the target user is non-root then the
-default principal name is target_user@local_realm.
-Else, if the source cache exists the default
-principal name is set to the default principal
-of the source cache. If the source cache does not
-exist, default principal name is set to
-root@local_realm.
-.TP 10
-\fB\-c \fIsource_cache_name
-Specify source cache name (e.g.
-.B \-c
-FILE:/tmp/my_cache).
-If
-.B \-c
-option is not used then the
-name is obtained from KRB5CCNAME environment variable.
-If KRB5CCNAME is not defined the source cache name
-is set to krb5cc_<source uid>.
-.TP 10
-\fB\-C \fItarget_cache_name
-Specify the target cache name (e.g.
-.B \-C
-FILE:/tmp/target_cache).
-If '.' is specified (e.g. ksu
-\-C .) ksu uses the source
-cache and does not create a new target cache. Note:
-this case requires both source and target user
-to have read and write permissions for the source cache.
-If
-.B \-C
-option is not used, the default target cache name is
-set to krb5cc_<target uid>.(gen_sym()),
-where gen_sim generates a new number such that
-the resulting cache does not already exist.
-.br
-For example: krb5cc_1984.2
-.TP 10
-\fB\-k
-Do not delete the target cache upon termination of the
-target shell or a command (
-.B \-e
-command).
-Without
-.B \-k,
-ksu deletes the target cache upon termination
-of the source cache unless the '-C .' option was used.
-.TP 10
-\fB\-D
-turn on debug mode.
-.TP 10
-\fITicket granting ticket options: -l lifetime -r time -pf\fP
-The ticket granting ticket options only apply to the
-case where there are no appropriate tickets in
-the cache to authenticate the source user. In this case
-if ksu is configured to prompt users for a
-Kerberos password (GET_TGT_VIA_PASSWD is defined),
-the ticket granting
-ticket options that are specified will be used
-when getting a ticket granting ticket from the Kerberos
-server.
-.TP 10
-\fB\-l \fIlifetime
-option specifies the lifetime (in hours) to be
-requested for the ticket; if this option is not
-specified, the  default ticket lifetime
-(configured by each site) is used instead.
-.TP 10
-\fB\-r \fItime
-option  specifies  that  the  RENEWABLE  option
-should be requested for the ticket, and specifies
-(in hours) the desired total lifetime of the ticket.
-.TP 10
-\fB\-p
-option specifies that the PROXIABLE option should  be
-requested for the ticket.
-.TP 10
-\fB\-f
-option specifies that the FORWARDABLE  option  should
-be requested for the ticket.
-.TP 10
-\fB\-z
-restrict the copy of tickets from the source cache
-to the target cache to only the tickets where client ==
-the target principal name. Use the
-.B \-n
-option
-if you want the tickets for other then the default
-principal. Note that the
-.B \-z 
-option is mutually
-exclusive with '-C .' and -Z options.
-.TP 10
-\fB\-Z
-Don't copy any tickets from the source cache to the
-target cache. Just create a fresh target cache,
-where the default principal name of the cache is
-initialized to the target principal name.  Note that
-.B \-Z
-option is mutually
-exclusive with '-C .' and -z options.
-.TP 10
-\fB\-e \fIcommand [args ...]
-ksu proceeds exactly the same as if it was invoked without the
-.B \-e
-option,
-except instead of executing the target shell, ksu executes the
-specified command (Example of usage: ksu bob
-.B \-e
-ls
-.B \-lag).
-
-\fIThe authorization algorithm for -e is as follows:\fP
-
-If the source user is root, no authorization takes place and             
-the command is executed.  If source user id != 0, and .k5users
-file does not exist, authorization fails.
-Otherwise, .k5users file must have an
-appropriate entry for target principal
-to get authorized.
-
-\fIThe .k5users file format:\fP
-
-A single principal entry on each line
-that may be followed by a list of commands that
-the principal is authorized to execute.
-A principal name followed by a '*' means
-that the user is authorized to execute
-any command. Thus, in the following example:
-
-jqpublic@USC.EDU ls mail /local/kerberos/klist
-.br
-jqpublic/secure@USC.EDU *
-.br
-jqpublic/admin@USC.EDU
-
-jqpublic@USC.EDU is only authorized to execute ls, mail
-and klist commands. jqpublic/secure@USC.EDU is authorized
-to execute any command. jqpublic/admin@USC.EDU is not
-authorized to execute any command.  Note, that
-jqpublic/admin@USC.EDU is authorized to execute
-the target shell (regular ksu, without the
-.B \-e
-option) but jqpublic@USC.EDU is not.
-
-The commands listed after the principal name must
-be either a full path names or just the program name.
-In the second case, CMD_PATH specifying the location
-of authorized programs, must be defined at the
-compilation time of ksu.               
-
-\fIWhich command gets executed ?\fP
-
-If the source user is root or the user
-is authorized to execute any command ('*' entry)
-then command can be either a full or a relative
-path leading to the target program.
-Otherwise, the user must specify either a full
-path or just the program name.
-.TP 10
-\fB\-a \fIargs
-specify arguments to be passed to the target shell.
-Note: that all flags and parameters following -a
-will be passed to the shell, thus all options
-intended for ksu must precede
-.B \-a.
-.B \-a
-option can be used to simulate the
-.B \-e
-option if used as follows:
-.B \-a
-.B \-c
-[command [arguments]].
-.B \-c
-is interpreted by the c-shell to execute the command.
-.PP
-.SH INSTALLATION INSTRUCTIONS
-ksu can be compiled with the following flags (see the makefile):
-.TP 10
-\fILOCAL_REALM\fP 
-possible values: the name of the local realm
-or '.' in which case krb.conf is used to get
-up the local realm name.
-.TP 10
-\fIGET_TGT_VIA_PASSWD\fP 
-in case no appropriate tickets are found in the source
-cache, the user will be prompted for a Kerberos
-password.  The password is then used to get a
-ticket granting ticket from the Kerberos server.
-The danger of configuring ksu with this macro is
-if the source user is loged in remotely and does not
-have a secure channel, the password may get exposed.
-.TP 10
-\fIPRINC_LOOK_AHEAD\fP
-during the resolution of the default principal name,
-PRINC_LOOK_AHEAD enables ksu to find principal names          
-in the .k5users file that have a common prefix with
-the default principal of the source cache.              
-.TP 10
-\fICMD_PATH\fP
-specifies a list of directories containing programs
-that users are authorized to execute (via .k5users file). 
-.TP 10
-SAMPLE CONFIGURATION:
-KSU_OPTS = -DLOCAL_REALM='"ISI.EDU"' -DGET_TGT_VIA_PASSWD 
--DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /usr/ucb /local/bin"
-.TP 10
-PERMISSIONS FOR KSU
-ksu should be owned by root and have the set user id  bit turned on.   
-.TP 10
-END-SERVER ENTRY     
-ksu attempts to get a ticket for the end server just as 
-Kerberized telnet and rlogin.  Thus, there must be
-an entry for the server in the Kerberos database
-(e.g. host/nii.isi.edu@ISI.EDU). k5srvtab must be in
-an appropriate location.               
diff --git a/src/clients/ksu/ksu.M b/src/clients/ksu/ksu.M
index 704d431168..cb80bffc2c 100644
--- a/src/clients/ksu/ksu.M
+++ b/src/clients/ksu/ksu.M
@@ -149,15 +149,11 @@ If the target principal name is found without any trailing commands
 or followed only by '*' then the source user is authorized.  
 If either .k5login or .k5users exist but an appropriate entry for the target
 principal does not exist then access is denied. If neither
-file exists then a database of local principal names is
-consulted (the name of this database is defined in Kerberos osconf.h
-file by DEFAULT_LNAME_FILENAME macro). If the target principal name is
-found then the source user is authorized to access the account.
-If it's not found, and ksu was compiled with LOCAL_REALM macro undefined,
-authorization fails. If LOCAL_REALM is defined, and it matches
-the target principal's realm and the first component of the
-target principal name translates to the target account name then
-authorization is successful.  Otherwise, authorization fails.
+file exists then the principal will be granted access 
+to the account according to the aname\->lname mapping rules (see
+.IR krb5_anadd(8) 
+for more details).
+Otherwise, authorization fails.
 .br
 .SH EXECUTION OF THE TARGET SHELL
 Upon successful authentication and authorization, ksu
@@ -456,11 +452,6 @@ is interpreted by the c-shell to execute the command.
 .SH INSTALLATION INSTRUCTIONS
 ksu can be compiled with the following 5 flags (see the Imakefile):
 .TP 10
-\fILOCAL_REALM\fP 
-possible values: the name of the local realm
-or '.' in which case krb.conf is used to look
-up the local realm name.
-.TP 10
 \fIGET_TGT_VIA_PASSWD\fP 
 in case no appropriate tickets are found in the source
 cache, the user will be prompted for a Kerberos
@@ -488,7 +479,7 @@ the names of "legal shells".  Note that the target user's
 shell is obtained from the passwd file.
 .TP 10
 SAMPLE CONFIGURATION:
-KSU_OPTS = -DLOCAL_REALM='"ISI.EDU"' -DGET_TGT_VIA_PASSWD 
+KSU_OPTS = -DGET_TGT_VIA_PASSWD 
 -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /usr/ucb /local/bin"
 .TP 10
 PERMISSIONS FOR KSU
diff --git a/src/clients/ksu/ksu.h b/src/clients/ksu/ksu.h
index 4315ed85e3..fd8232fb20 100644
--- a/src/clients/ksu/ksu.h
+++ b/src/clients/ksu/ksu.h
@@ -161,7 +161,7 @@ extern void printtime PROTOTYPE((time_t));
 extern krb5_boolean fowner PROTOTYPE((FILE *, int));
 
 extern krb5_error_code krb5_authorization
-	PROTOTYPE((krb5_context, krb5_principal, const char *, char *, char *, 
+	PROTOTYPE((krb5_context, krb5_principal, const char *, char *, 
 		   krb5_boolean *, char **));
 
 extern krb5_error_code k5login_lookup PROTOTYPE((FILE *, char *,
diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c
index d06a669ffe..582c772cba 100644
--- a/src/clients/ksu/main.c
+++ b/src/clients/ksu/main.c
@@ -84,7 +84,6 @@ krb5_context ksu_context;
 char * cc_target_tag = NULL; 
 char * target_user = NULL;
 char * source_user;
-char * local_realm_name = NULL;
 
 krb5_ccache cc_source = NULL;
 char * cc_source_tag = NULL; 
@@ -125,11 +124,7 @@ char * dir_of_cc_source;
 
     krb5_init_context(&ksu_context); 
     krb5_init_ets(ksu_context); 	/* initialize kerberos error tables */
-
-#ifdef LOCAL_REALM 
-    local_realm_name = LOCAL_REALM ;	
-#endif
-
+    krb5_secure_config_files(ksu_context);
 
     if (strrchr(argv[0], '/'))
 	argv[0] = strrchr(argv[0], '/')+1;
@@ -624,7 +619,7 @@ char * dir_of_cc_source;
 			source_user,ontty());
 
 		if ((retval = krb5_authorization(ksu_context, client,target_user,
-		 	 local_realm_name, cmd, &authorization_val, &exec_cmd))){
+		 	 cmd, &authorization_val, &exec_cmd))){
                	       com_err(prog_name,retval,"while checking authorization");
 		       sweep_up(ksu_context, use_source_cache, cc_target);
 		       exit(1);