If the local machine is missing a keytab file, though, isn’t that local #Kerberos for PAM implementation already fundamentally broken? Without a keytab entry, you could /never/ be sure the TGT was legit.
Are keytab files optional when configuring krb5 on FreeBSD? How about other OSes? IOW, does this CVE describe a fundamental, common implementation issue with OTHER pam-krb5 installs?
I haven’t looked at the patch yet (on a phone, not entirely sure I want to get out of bed yet on a Sunday). But the more documentation I read on fixing common pam-krb5 problems, the more suspicious I become that nobody does keytab checking correctly (except, now, #FreeBSD).