Pullup ticket #2417 - requested by tonnerre

Security patches for mit-krb5

Revisions pulled up:
- security/mit-krb5/Makefile		1.42
- security/mit-krb5/distinfo		1.17-1.19
- security/mit-krb5/patches/patch-ai	1.3-1.4
- security/mit-krb5/patches/patch-au	1.1-1.2
- security/mit-krb5/patches/patch-av	1.1-1.2
- security/mit-krb5/patches/patch-aw	1.1-1.2
- security/mit-krb5/patches/patch-ax	1.1-1.2
- security/mit-krb5/patches/patch-ay	1.1-1.2
- security/mit-krb5/patches/patch-az	1.1-1.2
- security/mit-krb5/patches/patch-ba	1.1-1.3
- security/mit-krb5/patches/patch-bb	1.1-1.2
- security/mit-krb5/patches/patch-bc	1.1-1.2
- security/mit-krb5/patches/patch-bd	1.1-1.2
- security/mit-krb5/patches/patch-be	1.1-1.2
- security/mit-krb5/patches/patch-bf	1.1
- security/mit-krb5/patches/patch-bg	1.1
---
    Module Name:	pkgsrc
    Committed By:	tonnerre
    Date:		Sat Jun  7 18:36:07 UTC 2008

    Modified Files:
    	pkgsrc/security/mit-krb5: Makefile distinfo
    Added Files:
    	pkgsrc/security/mit-krb5/patches: patch-ai patch-au patch-av
    patch-aw patch-ax patch-ay patch-az patch-ba patch-bb patch-bc patch-bd
    	    patch-be

    Log Message:
    Add security patches for 3 Kerberos vulnerabilities:
     - telnetd username and environment sanitizing vulnerabilities ("-f
    root") as described in MIT Kerberos advisory 2007-001.
     - krb5_klog_syslog() problems with overly long log strings as described
       in MIT Kerberos advisory 2007-002.
     - GSS API kg_unseal_v1() double free vulnerability as described in the
       MIT Kerberos advisory 2007-003.
---
    Module Name:	pkgsrc
    Committed By:	tonnerre
    Date:		Sat Jun  7 20:22:18 UTC 2008

    Modified Files:
    	pkgsrc/security/mit-krb5: distinfo
    	pkgsrc/security/mit-krb5/patches: patch-ai patch-au patch-av
    patch-aw patch-ax patch-ay patch-az patch-ba patch-bb patch-bc patch-bd
    	    patch-be

    Log Message:
    Remove parts of a different security patch which slipped in but are not
    supported yet. Don't bump revision as the package didn't build before.
---
    Module Name:	pkgsrc
    Committed By:	tonnerre
    Date:		Sat Jun  7 22:26:10 UTC 2008

    Modified Files:
    	pkgsrc/security/mit-krb5: distinfo
    	pkgsrc/security/mit-krb5/patches: patch-ba
    Added Files:
    	pkgsrc/security/mit-krb5/patches: patch-bf patch-bg

    Log Message:
    Add patches for MITKRB5-SA-2007-004 and MITKRB5-SA-2007-005. PKGREVISION
    will be bumped again once some other patches are in.

16 files changed, 1035 insertions, 3 deletions

diff --git a/security/mit-krb5/Makefile b/security/mit-krb5/Makefile
index bc6adff0cd9..c564a9d13be 100644
--- a/security/mit-krb5/Makefile
+++ b/security/mit-krb5/Makefile
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.41 2007/06/22 14:20:01 gdt Exp $
+# $NetBSD: Makefile,v 1.41.8.1 2008/06/08 11:47:13 tron Exp $
 
 DISTNAME=	krb5-1.4.2
 PKGNAME=	mit-${DISTNAME:S/-signed$//}
-PKGREVISION=	4
+PKGREVISION=	5
 CATEGORIES=	security
 MASTER_SITES=	http://web.mit.edu/kerberos/dist/krb5/1.4/
 DISTFILES=	${DISTNAME}-signed${EXTRACT_SUFX}
diff --git a/security/mit-krb5/distinfo b/security/mit-krb5/distinfo
index d747fcd8cac..d45955e6351 100644
--- a/security/mit-krb5/distinfo
+++ b/security/mit-krb5/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.16 2007/01/17 23:43:47 salo Exp $
+$NetBSD: distinfo,v 1.16.10.1 2008/06/08 11:47:13 tron Exp $
 
 SHA1 (krb5-1.4.2-signed.tar) = bbc03bd319d539fb9523c2545d80ba0784522e88
 RMD160 (krb5-1.4.2-signed.tar) = 44500f5fab8e5959cf43f17f5f52f68e2dc73a1f
@@ -11,6 +11,7 @@ SHA1 (patch-ae) = fc6d5e11cd827cdfbe1bfc3a3c7ca9f5a71c17d7
 SHA1 (patch-af) = c9631743e3c93aee2aab5c8a370e9bebfc4084e5
 SHA1 (patch-ag) = 5da57455f36a2bd40e0f97db94e93249e90e0b8e
 SHA1 (patch-ah) = 59a6bfc341a22234b38db406abe83b0d6d358a9f
+SHA1 (patch-ai) = 5b0f1ae222e50eb0eb3ed98c79188318ae0969b5
 SHA1 (patch-aj) = 5c633571ea932ce349065cbb4c3bf482cc971675
 SHA1 (patch-ak) = 9d95372fd8edddbf0366e83a51d7a0b8a507f218
 SHA1 (patch-al) = fb611fe47bd7c773d7baf11424e90cd3af70c422
@@ -22,3 +23,16 @@ SHA1 (patch-aq) = 52429b712ca7a478caeb76fd165585c7aab7fa02
 SHA1 (patch-ar) = 37807c14f03533aef8796ac90e5fac36ff98308a
 SHA1 (patch-as) = b155219fd512b59f698497af1bf6acf1ca4f4a34
 SHA1 (patch-at) = df0605b0f5fbaef6b7540f87079ae64b2acc464c
+SHA1 (patch-au) = 238f497afd9ad129babc0b6c727eb23e9915536c
+SHA1 (patch-av) = db0fce68f58307be4c359758f2c9b31d62ab8348
+SHA1 (patch-aw) = 0e651b675d166e71f6543cbad8e29eece89d5b67
+SHA1 (patch-ax) = d403c910211e48c6d1dc27cb2dd98d5f20cc688d
+SHA1 (patch-ay) = 9f54c79c105d7baca3f1efa68a25f9b39dbf7683
+SHA1 (patch-az) = 79fd9cbbf34287b78d5c6c2faf72e147457f7f37
+SHA1 (patch-ba) = b413b82de3248600beb003456cde811637d05206
+SHA1 (patch-bb) = 156d3341d1cf40cfbe5833f7ad68b5aec297d3fb
+SHA1 (patch-bc) = 8b422991ca22903596cf157ea3603abb741c50a5
+SHA1 (patch-bd) = 8cf0425d2fedea452f80fa599f3c4515e51d834c
+SHA1 (patch-be) = c4497d7b68cefd8109d615c2125d9dc7aa508e5d
+SHA1 (patch-bf) = 1e16b6cbe51a5aa07ac7c7c3c343e82bf16dcde6
+SHA1 (patch-bg) = fa70e00a2eb283782c9960a2c74a879862b979c5
diff --git a/security/mit-krb5/patches/patch-ai b/security/mit-krb5/patches/patch-ai
new file mode 100644
index 00000000000..1aace67f392
--- /dev/null
+++ b/security/mit-krb5/patches/patch-ai
@@ -0,0 +1,44 @@
+$NetBSD: patch-ai,v 1.2.24.1 2008/06/08 11:47:13 tron Exp $
+
+--- appl/telnet/telnetd/sys_term.c.orig	2008-06-07 15:55:51.000000000 +0200
++++ appl/telnet/telnetd/sys_term.c
+@@ -1287,6 +1287,16 @@ start_login(host, autologin, name)
+ #endif
+ #if	defined (AUTHENTICATION)
+ 	if (auth_level >= 0 && autologin == AUTH_VALID) {
++		if (name[0] == '-') {
++			/* Authenticated and authorized to log in to an
++			   account starting with '-'?  Even if that
++			   unlikely case comes to pass, the current login
++			   program will not parse the resulting command
++			   line properly.  */
++			syslog(LOG_ERR, "user name cannot start with '-'");
++			fatal(net, "user name cannot start with '-'");
++			exit(1);
++		}
+ # if	!defined(NO_LOGIN_F)
+ #if	defined(LOGIN_CAP_F)
+ 		argv = addarg(argv, "-F");
+@@ -1377,12 +1387,20 @@ start_login(host, autologin, name)
+ 	} else
+ #endif
+ 	if (getenv("USER")) {
+-		argv = addarg(argv, getenv("USER"));
++		char *user = getenv("USER");
++		if (user[0] == '-') {
++			/* "telnet -l-x ..." */
++			syslog(LOG_ERR, "user name cannot start with '-'");
++			fatal(net, "user name cannot start with '-'");
++			exit(EXIT_FAILURE);
++		}
++		argv = addarg(argv, user);
+ #if	defined(LOGIN_ARGS) && defined(NO_LOGIN_P)
+ 		{
+ 			register char **cpp;
+ 			for (cpp = environ; *cpp; cpp++)
+-				argv = addarg(argv, *cpp);
++				if ((*cpp)[0] != '-')
++					argv = addarg(argv, *cpp);
+ 		}
+ #endif
+ 		/*
diff --git a/security/mit-krb5/patches/patch-au b/security/mit-krb5/patches/patch-au
new file mode 100644
index 00000000000..a330db70432
--- /dev/null
+++ b/security/mit-krb5/patches/patch-au
@@ -0,0 +1,14 @@
+$NetBSD$
+
+--- appl/telnet/telnetd/state.c.orig	2002-11-15 21:21:51.000000000 +0100
++++ appl/telnet/telnetd/state.c
+@@ -1665,7 +1665,8 @@ static int envvarok(varp)
+ 	    strcmp(varp, "RESOLV_HOST_CONF") && /* linux */
+ 	    strcmp(varp, "NLSPATH") && /* locale stuff */
+ 	    strncmp(varp, "LC_", strlen("LC_")) && /* locale stuff */
+-	    strcmp(varp, "IFS")) {
++	    strcmp(varp, "IFS") &&
++	    !strchr(varp, '-')) {
+ 		return 1;
+ 	} else {
+ 		syslog(LOG_INFO, "Rejected the attempt to modify the environment variable \"%s\"", varp);
diff --git a/security/mit-krb5/patches/patch-av b/security/mit-krb5/patches/patch-av
new file mode 100644
index 00000000000..321e8c5571e
--- /dev/null
+++ b/security/mit-krb5/patches/patch-av
@@ -0,0 +1,12 @@
+$NetBSD$
+
+--- kdc/kdc_util.c.orig	2004-02-13 05:20:56.000000000 +0100
++++ kdc/kdc_util.c
+@@ -404,6 +404,7 @@ kdc_get_server_key(krb5_ticket *ticket, 
+ 
+ 	krb5_db_free_principal(kdc_context, &server, nprincs);
+ 	if (!krb5_unparse_name(kdc_context, ticket->server, &sname)) {
++	    limit_string(sname);
+ 	    krb5_klog_syslog(LOG_ERR,"TGS_REQ: UNKNOWN SERVER: server='%s'",
+ 			     sname);
+ 	    free(sname);
diff --git a/security/mit-krb5/patches/patch-aw b/security/mit-krb5/patches/patch-aw
new file mode 100644
index 00000000000..9994307832d
--- /dev/null
+++ b/security/mit-krb5/patches/patch-aw
@@ -0,0 +1,68 @@
+$NetBSD$
+
+--- kdc/do_tgs_req.c.orig	2005-07-12 22:59:51.000000000 +0200
++++ kdc/do_tgs_req.c
+@@ -490,27 +490,38 @@ tgt_again:
+ 	newtransited = 1;
+     }
+     if (!isflagset (request->kdc_options, KDC_OPT_DISABLE_TRANSITED_CHECK)) {
++	unsigned int tlen;
++	char *tdots;
++
+ 	errcode = krb5_check_transited_list (kdc_context,
+ 					     &enc_tkt_reply.transited.tr_contents,
+ 					     krb5_princ_realm (kdc_context, header_ticket->enc_part2->client),
+ 					     krb5_princ_realm (kdc_context, request->server));
++	tlen = enc_tkt_reply.transited.tr_contents.length;
++	tdots = tlen > 125 ? "..." : "";
++	tlen = tlen > 125 ? 125 : tlen;
++
+ 	if (errcode == 0) {
+ 	    setflag (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED);
+ 	} else if (errcode == KRB5KRB_AP_ERR_ILL_CR_TKT)
+ 	    krb5_klog_syslog (LOG_INFO,
+-			      "bad realm transit path from '%s' to '%s' via '%.*s'",
++			      "bad realm transit path from '%s' to '%s' "
++			      "via '%.*s%s'",
+ 			      cname ? cname : "<unknown client>",
+ 			      sname ? sname : "<unknown server>",
+-			      enc_tkt_reply.transited.tr_contents.length,
+-			      enc_tkt_reply.transited.tr_contents.data);
+-	else
++			      tlen,
++			      enc_tkt_reply.transited.tr_contents.data,
++			      tdots);
++	else {
+ 	    krb5_klog_syslog (LOG_ERR,
+-			      "unexpected error checking transit from '%s' to '%s' via '%.*s': %s",
++			      "unexpected error checking transit from "
++			      "'%s' to '%s' via '%.*s%s': %s",
+ 			      cname ? cname : "<unknown client>",
+ 			      sname ? sname : "<unknown server>",
+-			      enc_tkt_reply.transited.tr_contents.length,
++			      tlen,
+ 			      enc_tkt_reply.transited.tr_contents.data,
+-			      error_message (errcode));
++			      tdots, error_message (errcode));
++	}
+     } else
+ 	krb5_klog_syslog (LOG_INFO, "not checking transit path");
+     if (reject_bad_transit
+@@ -538,6 +549,9 @@ tgt_again:
+ 	if (!krb5_principal_compare(kdc_context, request->server, client2)) {
+ 		if ((errcode = krb5_unparse_name(kdc_context, client2, &tmp)))
+ 			tmp = 0;
++		if (tmp != NULL)
++			limit_string(tmp);
++
+ 		krb5_klog_syslog(LOG_INFO,
+ 				 "TGS_REQ %s: 2ND_TKT_MISMATCH: "
+ 				 "authtime %d, %s for %s, 2nd tkt client %s",
+@@ -800,6 +814,7 @@ find_alternate_tgs(krb5_kdc_req *request
+ 		krb5_klog_syslog(LOG_INFO,
+ 		       "TGS_REQ: issuing alternate <un-unparseable> TGT");
+ 	    } else {
++		limit_string(sname);
+ 		krb5_klog_syslog(LOG_INFO,
+ 		       "TGS_REQ: issuing TGT %s", sname);
+ 		free(sname);
diff --git a/security/mit-krb5/patches/patch-ax b/security/mit-krb5/patches/patch-ax
new file mode 100644
index 00000000000..b10511d45d4
--- /dev/null
+++ b/security/mit-krb5/patches/patch-ax
@@ -0,0 +1,53 @@
+$NetBSD$
+
+--- kadmin/server/ovsec_kadmd.c.orig	2004-09-21 20:20:16.000000000 +0200
++++ kadmin/server/ovsec_kadmd.c
+@@ -952,13 +952,25 @@ void log_badverf(gss_name_t client_name,
+      rpcproc_t proc;
+      int i;
+      const char *procname;
++     size_t clen, slen;
++     char *cdots, *sdots;
+ 
+      (void) gss_display_name(&minor, client_name, &client, &gss_type);
+      (void) gss_display_name(&minor, server_name, &server, &gss_type);
+-     if (client.value == NULL)
++     if (client.value == NULL) {
+ 	 client.value = "(null)";
+-     if (server.value == NULL)
++	 clen = sizeof("(null)") -1;
++     } else {
++	 clen = client.length;
++     }
++     trunc_name(&clen, &cdots);
++     if (server.value == NULL) {
+ 	 server.value = "(null)";
++	 slen = sizeof("(null)") - 1;
++     } else {
++	 slen = server.length;
++     }
++     trunc_name(&slen, &sdots);
+      a = inet_ntoa(rqst->rq_xprt->xp_raddr.sin_addr);
+ 
+      proc = msg->rm_call.cb_proc;
+@@ -971,14 +983,14 @@ void log_badverf(gss_name_t client_name,
+      }
+      if (procname != NULL)
+ 	  krb5_klog_syslog(LOG_NOTICE, "WARNING! Forged/garbled request: %s, "
+-			   "claimed client = %s, server = %s, addr = %s",
+-			   procname, client.value,
+-			   server.value, a);
++			   "claimed client = %.*s%s, server = %.*s%s, addr = %s",
++			   procname, clen, client.value, cdots,
++			   slen, server.value, sdots, a);
+      else
+ 	  krb5_klog_syslog(LOG_NOTICE, "WARNING! Forged/garbled request: %d, "
+-			   "claimed client = %s, server = %s, addr = %s",
+-			   proc, client.value,
+-			   server.value, a);
++			   "claimed client = %.*s%s, server = %.*s%s, addr = %s",
++			   proc, clen, client.value, cdots,
++			   slen, server.value, sdots, a);
+ 
+      (void) gss_release_buffer(&minor, &client);
+      (void) gss_release_buffer(&minor, &server);
diff --git a/security/mit-krb5/patches/patch-ay b/security/mit-krb5/patches/patch-ay
new file mode 100644
index 00000000000..5001ee60e7e
--- /dev/null
+++ b/security/mit-krb5/patches/patch-ay
@@ -0,0 +1,10 @@
+$NetBSD$
+
+--- kadmin/server/misc.h.orig	2004-10-28 00:12:48.000000000 +0200
++++ kadmin/server/misc.h
+@@ -44,3 +44,5 @@ krb5_error_code process_chpw_request(krb
+ #ifdef SVC_GETARGS
+ void  kadm_1(struct svc_req *, SVCXPRT *);
+ #endif
++
++void trunc_name(size_t *len, char **dots);
diff --git a/security/mit-krb5/patches/patch-az b/security/mit-krb5/patches/patch-az
new file mode 100644
index 00000000000..db82de61702
--- /dev/null
+++ b/security/mit-krb5/patches/patch-az
@@ -0,0 +1,28 @@
+$NetBSD$
+
+--- kadmin/server/schpw.c.orig	2004-10-28 00:12:48.000000000 +0200
++++ kadmin/server/schpw.c
+@@ -41,6 +41,8 @@ process_chpw_request(context, server_han
+     int numresult;
+     char strresult[1024];
+     char *clientstr;
++    size_t clen;
++    char *cdots;
+ 
+     ret = 0;
+     rep->length = 0;
+@@ -259,9 +261,12 @@ process_chpw_request(context, server_han
+     free(ptr);
+     clear.length = 0;
+ 
+-    krb5_klog_syslog(LOG_NOTICE, "chpw request from %s for %s: %s",
++    clen = strlen(clientstr);
++    trunc_name(&clen, &cdots);
++    krb5_klog_syslog(LOG_NOTICE, "chpw request from %s for %.*s%s: %s",
+ 		     inet_ntoa(((struct sockaddr_in *)&remote_addr)->sin_addr),
+-		     clientstr, ret ? error_message(ret) : "success");
++		     clen, clientstr, cdots,
++		     ret ? error_message(ret) : "success");
+     krb5_free_unparsed_name(context, clientstr);
+ 
+     if (ret) {
diff --git a/security/mit-krb5/patches/patch-ba b/security/mit-krb5/patches/patch-ba
new file mode 100644
index 00000000000..2e8efa90974
--- /dev/null
+++ b/security/mit-krb5/patches/patch-ba
@@ -0,0 +1,630 @@
+$NetBSD$
+
+--- kadmin/server/server_stubs.c.orig	2004-08-20 20:45:30.000000000 +0200
++++ kadmin/server/server_stubs.c
+@@ -14,6 +14,7 @@
+ #include <arpa/inet.h>  /* inet_ntoa */
+ #include <krb5/adm_proto.h>  /* krb5_klog_syslog */
+ #include "misc.h"
++#include <string.h>
+ 
+ #define LOG_UNAUTH  "Unauthorized request: %s, %s, client=%s, service=%s, addr=%s"
+ #define	LOG_DONE    "Request: %s, %s, %s, client=%s, service=%s, addr=%s"
+@@ -237,6 +238,61 @@ gss_name_to_string(gss_name_t gss_name, 
+      return 0;
+ }
+ 
++static int
++log_unauth(
++     char *op,
++     char *target,
++     gss_buffer_t client,
++     gss_buffer_t server,
++     struct svc_req *rqstp)
++{
++     size_t tlen, clen, slen;
++     char *tdots, *cdots, *sdots;
++
++     tlen = strlen(target);
++     trunc_name(&tlen, &tdots);
++     clen = client->length;
++     trunc_name(&clen, &cdots);
++     slen = server->length;
++     trunc_name(&slen, &sdots);
++
++     return krb5_klog_syslog(LOG_NOTICE,
++			    "Unauthorized request: %s, %.*s%s, "
++			    "client=%.*s%s, service=%.*s%s, addr=%s",
++			    op, tlen, target, tdots,
++			    clen, client->value, cdots,
++			    slen, server->value, sdots,
++			    inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++}
++
++static int
++log_done(
++     char *op,
++     char *target,
++     char *errmsg,
++     gss_buffer_t client,
++     gss_buffer_t server,
++     struct svc_req *rqstp)
++{
++     size_t tlen, clen, slen;
++     char *tdots, *cdots, *sdots;
++
++     tlen = strlen(target);
++     trunc_name(&tlen, &tdots);
++     clen = client->length;
++     trunc_name(&clen, &cdots);
++     slen = server->length;
++     trunc_name(&slen, &sdots);
++
++     return krb5_klog_syslog(LOG_NOTICE,
++			    "Request: %s, %.*s%s, %s, "
++			    "client=%.*s%s, service=%.*s%s, addr=%s",
++			    op, tlen, target, tdots, errmsg,
++			    clen, client->value, cdots,
++			    slen, server->value, sdots,
++			    inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++}
++
+ generic_ret *
+ create_principal_1_svc(cprinc_arg *arg, struct svc_req *rqstp)
+ {
+@@ -274,18 +330,15 @@ create_principal_1_svc(cprinc_arg *arg, 
+ 	|| kadm5int_acl_impose_restrictions(handle->context,
+ 				   &arg->rec, &arg->mask, rp)) {
+ 	 ret.code = KADM5_AUTH_ADD;
+-	 krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_create_principal",
+-		prime_arg, client_name.value, service_name.value,
+-		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++	 log_unauth("kadm5_create_principal", prime_arg,
++		    &client_name, &service_name, rqstp);
+     } else {
+ 	 ret.code = kadm5_create_principal((void *)handle,
+ 						&arg->rec, arg->mask,
+ 						arg->passwd);
+-	 krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_create_principal",
+-		prime_arg,((ret.code == 0) ? "success" :
+-			   error_message(ret.code)), 
+-		client_name.value, service_name.value,
+-		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++	 log_done("kadm5_create_principal", prime_arg,
++		  ((ret.code == 0) ? "success" : error_message(ret.code)),
++		  &client_name, &service_name, rqstp);
+     }
+     free_server_handle(handle);
+     free(prime_arg);
+@@ -331,20 +384,18 @@ create_principal3_1_svc(cprinc3_arg *arg
+ 	|| kadm5int_acl_impose_restrictions(handle->context,
+ 				   &arg->rec, &arg->mask, rp)) {
+ 	 ret.code = KADM5_AUTH_ADD;
+-	 krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_create_principal",
+-		prime_arg, client_name.value, service_name.value,
+-		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++	 log_unauth("kadm5_create_principal", prime_arg,
++		    &client_name, &service_name, rqstp);
+     } else {
+ 	 ret.code = kadm5_create_principal_3((void *)handle,
+ 					     &arg->rec, arg->mask,
+ 					     arg->n_ks_tuple,
+ 					     arg->ks_tuple,
+ 					     arg->passwd);
+-	 krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_create_principal",
+-		prime_arg,((ret.code == 0) ? "success" :
+-			   error_message(ret.code)), 
+-		client_name.value, service_name.value,
+-		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++
++	 log_done("kadm5_create_principal", prime_arg,
++		  ((ret.code == 0) ? "success" : error_message(ret.code)),
++		  &client_name, &service_name, rqstp);
+     }
+     free_server_handle(handle);
+     free(prime_arg);
+@@ -388,15 +439,13 @@ delete_principal_1_svc(dprinc_arg *arg, 
+ 	|| !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_DELETE,
+ 		      arg->princ, NULL)) {
+ 	 ret.code = KADM5_AUTH_DELETE;
+-	 krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_delete_principal",
+-		prime_arg, client_name.value, service_name.value,
+-		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++	 log_unauth("kadm5_delete_principal", prime_arg,
++		    &client_name, &service_name, rqstp);
+     } else {
+ 	 ret.code = kadm5_delete_principal((void *)handle, arg->princ);
+-	 krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_delete_principal", prime_arg, 
+-		((ret.code == 0) ? "success" : error_message(ret.code)), 
+-		client_name.value, service_name.value,
+-		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++	 log_done("kadm5_delete_principal", prime_arg,
++		((ret.code == 0) ? "success" : error_message(ret.code)),
++		&client_name, &service_name, rqstp);
+     }
+     free(prime_arg);
+     free_server_handle(handle);
+@@ -441,17 +490,14 @@ modify_principal_1_svc(mprinc_arg *arg, 
+ 	|| kadm5int_acl_impose_restrictions(handle->context,
+ 				   &arg->rec, &arg->mask, rp)) {
+ 	 ret.code = KADM5_AUTH_MODIFY;
+-	 krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_modify_principal",
+-		prime_arg, client_name.value, service_name.value,
+-		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++	 log_unauth("kadm5_modify_principal", prime_arg,
++		    &client_name, &service_name, rqstp);
+     } else {
+ 	 ret.code = kadm5_modify_principal((void *)handle, &arg->rec,
+ 						arg->mask);
+-	 krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_modify_principal",
+-		prime_arg, ((ret.code == 0) ? "success" :
+-			    error_message(ret.code)), 
+-		client_name.value, service_name.value,
+-		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++	 log_done("kadm5_modify_principal", prime_arg,
++		  ((ret.code == 0) ? "success" : error_message(ret.code)),
++		  &client_name, &service_name, rqstp);
+     }
+     free_server_handle(handle);
+     free(prime_arg);
+@@ -466,12 +512,13 @@ rename_principal_1_svc(rprinc_arg *arg, 
+     static generic_ret		ret;
+     char			*prime_arg1,
+ 				*prime_arg2;
+-    char			prime_arg[BUFSIZ];
+     gss_buffer_desc		client_name,
+ 				service_name;
+     OM_uint32			minor_stat;
+     kadm5_server_handle_t	handle;
+     restriction_t		*rp;
++    size_t tlen1, tlen2, clen, slen;
++    char *tdots1, *tdots2, *cdots, *sdots;
+ 
+     xdr_free(xdr_generic_ret, &ret);
+ 
+@@ -492,7 +539,14 @@ rename_principal_1_svc(rprinc_arg *arg, 
+ 	 ret.code = KADM5_BAD_PRINCIPAL;
+ 	 return &ret;
+     }
+-    sprintf(prime_arg, "%s to %s", prime_arg1, prime_arg2);
++    tlen1 = strlen(prime_arg1);
++    trunc_name(&tlen1, &tdots1);
++    tlen2 = strlen(prime_arg2);
++    trunc_name(&tlen2, &tdots2);
++    clen = client_name.length;
++    trunc_name(&clen, &cdots);
++    slen = service_name.length;
++    trunc_name(&slen, &sdots);
+ 
+     ret.code = KADM5_OK;
+     if (! CHANGEPW_SERVICE(rqstp)) {
+@@ -510,17 +564,29 @@ rename_principal_1_svc(rprinc_arg *arg, 
+     } else
+ 	 ret.code = KADM5_AUTH_INSUFFICIENT;
+     if (ret.code != KADM5_OK) {
+-	 krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_rename_principal",
+-		prime_arg, client_name.value, service_name.value,
+-		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++	 krb5_klog_syslog(LOG_NOTICE,
++			  "Unauthorized request: kadm5_rename_principal, "
++			  "%.*s%s to %.*s%s, "
++			  "client=%.*s%s, service=%.*s%s, addr=%s",
++			  tlen1, prime_arg1, tdots1,
++			  tlen2, prime_arg2, tdots2,
++			  clen, client_name.value, cdots,
++			  slen, service_name.value, sdots,
++			  inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
+     } else {
+ 	 ret.code = kadm5_rename_principal((void *)handle, arg->src,
+ 						arg->dest);
+-	 krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_rename_principal",
+-		prime_arg, ((ret.code == 0) ? "success" :
+-			    error_message(ret.code)), 
+-		client_name.value, service_name.value,
+-		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++	 krb5_klog_syslog(LOG_NOTICE,
++			  "Request: kadm5_rename_principal, "
++			  "%.*s%s to %.*s%s, %s, "
++			  "client=%.*s%s, service=%.*s%s, addr=%s",
++			  tlen1, prime_arg1, tdots1,
++			  tlen2, prime_arg2, tdots2,
++		  	  ((ret.code == 0) ? "success" :
++				error_message(ret.code)),
++			  clen, client_name.value, cdots,
++			  slen, service_name.value, sdots,
++			  inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
+     }
+     free_server_handle(handle);
+     free(prime_arg1);
+@@ -572,9 +638,8 @@ get_principal_1_svc(gprinc_arg *arg, str
+ 					       arg->princ,
+ 					       NULL))) {
+ 	 ret.code = KADM5_AUTH_GET;
+-	 krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname,
+-		prime_arg, client_name.value, service_name.value,
+-		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++	 log_unauth(funcname, prime_arg,
++		    &client_name, &service_name, rqstp);
+     } else {
+ 	 if (handle->api_version == KADM5_API_VERSION_1) {
+ 	      ret.code  = kadm5_get_principal_v1((void *)handle,
+@@ -588,12 +653,10 @@ get_principal_1_svc(gprinc_arg *arg, str
+ 					      arg->princ, &ret.rec,
+ 					      arg->mask);
+ 	 }
+-	 
+-	 krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname,
+-		prime_arg,  
+-		((ret.code == 0) ? "success" : error_message(ret.code)), 
+-		client_name.value, service_name.value,
+-		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++
++	 log_done(funcname, prime_arg,
++		  ((ret.code == 0) ? "success" : error_message(ret.code)),
++		  &client_name, &service_name, rqstp);
+     }
+     free_server_handle(handle);
+     free(prime_arg);
+@@ -638,18 +701,15 @@ get_princs_1_svc(gprincs_arg *arg, struc
+ 					      NULL,
+ 					      NULL)) {
+ 	 ret.code = KADM5_AUTH_LIST;
+-	 krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_get_principals",
+-		prime_arg, client_name.value, service_name.value,
+-		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++	 log_unauth("kadm5_get_principals", prime_arg,
++		    &client_name, &service_name, rqstp);
+     } else {
+ 	 ret.code  = kadm5_get_principals((void *)handle,
+ 					       arg->exp, &ret.princs,
+ 					       &ret.count);
+-	 krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_get_principals",
+-		prime_arg,  
++	 log_done("kadm5_get_principals", prime_arg,
+ 		((ret.code == 0) ? "success" : error_message(ret.code)), 
+-		client_name.value, service_name.value,
+-		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++		&client_name, &service_name, rqstp);
+     }
+     free_server_handle(handle);
+     gss_release_buffer(&minor_stat, &client_name);
+@@ -697,18 +757,15 @@ chpass_principal_1_svc(chpass_arg *arg, 
+ 	 ret.code = kadm5_chpass_principal((void *)handle, arg->princ,
+ 						arg->pass);
+     } else {
+-	 krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_chpass_principal",
+-		prime_arg, client_name.value, service_name.value,
+-		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++	 log_unauth("kadm5_chpass_principal", prime_arg,
++		    &client_name, &service_name, rqstp);
+ 	 ret.code = KADM5_AUTH_CHANGEPW;
+     }
+ 
+     if(ret.code != KADM5_AUTH_CHANGEPW) {
+-	krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_chpass_principal", 
+-	       prime_arg, ((ret.code == 0) ? "success" :
+-			   error_message(ret.code)), 
+-	       client_name.value, service_name.value,
+-	       inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++	log_done("kadm5_chpass_principal", prime_arg,
++		 ((ret.code == 0) ? "success" : error_message(ret.code)),
++		 &client_name, &service_name, rqstp);
+     }
+ 
+     free_server_handle(handle);
+@@ -764,18 +821,15 @@ chpass_principal3_1_svc(chpass3_arg *arg
+ 					     arg->ks_tuple,
+ 					     arg->pass);
+     } else {
+-	 krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_chpass_principal",
+-		prime_arg, client_name.value, service_name.value,
+-		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++	 log_unauth("kadm5_chpass_principal", prime_arg,
++		    &client_name, &service_name, rqstp);
+ 	 ret.code = KADM5_AUTH_CHANGEPW;
+     }
+ 
+     if(ret.code != KADM5_AUTH_CHANGEPW) {
+-	krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_chpass_principal", 
+-	       prime_arg, ((ret.code == 0) ? "success" :
+-			   error_message(ret.code)), 
+-	       client_name.value, service_name.value,
+-	       inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++	log_done("kadm5_chpass_principal", prime_arg,
++		 ((ret.code == 0) ? "success" : error_message(ret.code)),
++		 &client_name, &service_name, rqstp);
+     }
+ 
+     free_server_handle(handle);
+@@ -822,18 +876,15 @@ setv4key_principal_1_svc(setv4key_arg *a
+ 	 ret.code = kadm5_setv4key_principal((void *)handle, arg->princ,
+ 					     arg->keyblock);
+     } else {
+-	 krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_setv4key_principal",
+-		prime_arg, client_name.value, service_name.value,
+-		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++	 log_unauth("kadm5_setv4key_principal", prime_arg,
++		    &client_name, &service_name, rqstp);
+ 	 ret.code = KADM5_AUTH_SETKEY;
+     }
+ 
+     if(ret.code != KADM5_AUTH_SETKEY) {
+-	krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_setv4key_principal", 
+-	       prime_arg, ((ret.code == 0) ? "success" :
+-			   error_message(ret.code)), 
+-	       client_name.value, service_name.value,
+-	       inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++	log_done("kadm5_setv4key_principal", prime_arg,
++		 ((ret.code == 0) ? "success" : error_message(ret.code)),
++		 &client_name, &service_name, rqstp);
+     }
+ 
+     free_server_handle(handle);
+@@ -880,18 +931,15 @@ setkey_principal_1_svc(setkey_arg *arg, 
+ 	 ret.code = kadm5_setkey_principal((void *)handle, arg->princ,
+ 					   arg->keyblocks, arg->n_keys);
+     } else {
+-	 krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_setkey_principal",
+-		prime_arg, client_name.value, service_name.value,
+-		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++	 log_unauth("kadm5_setkey_principal", prime_arg,
++		    &client_name, &service_name, rqstp);
+ 	 ret.code = KADM5_AUTH_SETKEY;
+     }
+ 
+     if(ret.code != KADM5_AUTH_SETKEY) {
+-	krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_setkey_principal", 
+-	       prime_arg, ((ret.code == 0) ? "success" :
+-			   error_message(ret.code)), 
+-	       client_name.value, service_name.value,
+-	       inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++	log_done("kadm5_setkey_principal", prime_arg,
++		 ((ret.code == 0) ? "success" : error_message(ret.code)),
++		 &client_name, &service_name, rqstp);
+     }
+ 
+     free_server_handle(handle);
+@@ -941,18 +989,15 @@ setkey_principal3_1_svc(setkey3_arg *arg
+ 					     arg->ks_tuple,
+ 					     arg->keyblocks, arg->n_keys);
+     } else {
+-	 krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_setkey_principal",
+-		prime_arg, client_name.value, service_name.value,
+-		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++	 log_unauth("kadm5_setkey_principal", prime_arg,
++		    &client_name, &service_name, rqstp);
+ 	 ret.code = KADM5_AUTH_SETKEY;
+     }
+ 
+     if(ret.code != KADM5_AUTH_SETKEY) {
+-	krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_setkey_principal", 
+-	       prime_arg, ((ret.code == 0) ? "success" :
+-			   error_message(ret.code)), 
+-	       client_name.value, service_name.value,
+-	       inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++	log_done("kadm5_setkey_principal", prime_arg,
++		 ((ret.code == 0) ? "success" : error_message(ret.code)),
++		 &client_name, &service_name, rqstp);
+     }
+ 
+     free_server_handle(handle);
+@@ -1008,9 +1053,8 @@ chrand_principal_1_svc(chrand_arg *arg, 
+ 	 ret.code = kadm5_randkey_principal((void *)handle, arg->princ,
+ 					    &k, &nkeys);
+     } else {
+-	 krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname,
+-		prime_arg, client_name.value, service_name.value,
+-		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++	 log_unauth(funcname, prime_arg,
++		    &client_name, &service_name, rqstp);
+ 	 ret.code = KADM5_AUTH_CHANGEPW;
+     }
+ 
+@@ -1025,11 +1069,9 @@ chrand_principal_1_svc(chrand_arg *arg, 
+     }
+ 
+     if(ret.code != KADM5_AUTH_CHANGEPW) {
+-	krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname,
+-	       prime_arg, ((ret.code == 0) ? "success" :
+-			   error_message(ret.code)), 
+-	       client_name.value, service_name.value,
+-	       inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++	log_done(funcname, prime_arg,
++		 ((ret.code == 0) ? "success" : error_message(ret.code)),
++		 &client_name, &service_name, rqstp);
+     }
+     free_server_handle(handle);
+     free(prime_arg);
+@@ -1090,9 +1132,8 @@ chrand_principal3_1_svc(chrand3_arg *arg
+ 					      arg->ks_tuple,
+ 					      &k, &nkeys);
+     } else {
+-	 krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname,
+-		prime_arg, client_name.value, service_name.value,
+-		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++	 log_unauth(funcname, prime_arg,
++		    &client_name, &service_name, rqstp);
+ 	 ret.code = KADM5_AUTH_CHANGEPW;
+     }
+ 
+@@ -1107,11 +1148,9 @@ chrand_principal3_1_svc(chrand3_arg *arg
+     }
+ 
+     if(ret.code != KADM5_AUTH_CHANGEPW) {
+-	krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname,
+-	       prime_arg, ((ret.code == 0) ? "success" :
+-			   error_message(ret.code)), 
+-	       client_name.value, service_name.value,
+-	       inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++	log_done(funcname, prime_arg,
++		 ((ret.code == 0) ? "success" : error_message(ret.code)),
++		 &client_name, &service_name, rqstp);
+     }
+     free_server_handle(handle);
+     free(prime_arg);
+@@ -1152,18 +1191,15 @@ create_policy_1_svc(cpol_arg *arg, struc
+ 					      rqst2name(rqstp),
+ 					      ACL_ADD, NULL, NULL)) {
+ 	 ret.code = KADM5_AUTH_ADD;
+-	 krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_create_policy",
+-		prime_arg, client_name.value, service_name.value,
+-		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
+-	 
++	 log_unauth("kadm5_create_policy", prime_arg,
++		    &client_name, &service_name, rqstp);
+     } else {
+ 	 ret.code = kadm5_create_policy((void *)handle, &arg->rec,
+ 					     arg->mask);
+-	 krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_create_policy",
+-		((prime_arg == NULL) ? "(null)" : prime_arg),
+-		((ret.code == 0) ? "success" : error_message(ret.code)), 
+-		client_name.value, service_name.value,
+-		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));	 
++	 log_done("kadm5_create_policy",
++		  ((prime_arg == NULL) ? "(null)" : prime_arg),
++		  ((ret.code == 0) ? "success" : error_message(ret.code)), 
++		  &client_name, &service_name, rqstp);
+     }
+     free_server_handle(handle);
+     gss_release_buffer(&minor_stat, &client_name);
+@@ -1202,17 +1238,15 @@ delete_policy_1_svc(dpol_arg *arg, struc
+     if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,
+ 					      rqst2name(rqstp),
+ 					      ACL_DELETE, NULL, NULL)) {
+-	 krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_delete_policy",
+-		prime_arg, client_name.value, service_name.value,
+-		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++	 log_unauth("kadm5_delete_policy", prime_arg,
++		    &client_name, &service_name, rqstp);
+ 	 ret.code = KADM5_AUTH_DELETE;
+     } else {
+ 	 ret.code = kadm5_delete_policy((void *)handle, arg->name);
+-	 krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_delete_policy",
+-		((prime_arg == NULL) ? "(null)" : prime_arg),
+-		((ret.code == 0) ? "success" : error_message(ret.code)), 
+-		client_name.value, service_name.value,
+-		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));	 
++	 log_done("kadm5_delete_policy",
++		  ((prime_arg == NULL) ? "(null)" : prime_arg),
++		  ((ret.code == 0) ? "success" : error_message(ret.code)), 
++		  &client_name, &service_name, rqstp);
+     }
+     free_server_handle(handle);
+     gss_release_buffer(&minor_stat, &client_name);
+@@ -1251,18 +1285,16 @@ modify_policy_1_svc(mpol_arg *arg, struc
+     if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,
+ 					      rqst2name(rqstp),
+ 					      ACL_MODIFY, NULL, NULL)) {
+-	 krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_modify_policy",
+-		prime_arg, client_name.value, service_name.value,
+-		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++	 log_unauth("kadm5_modify_policy", prime_arg,
++		    &client_name, &service_name, rqstp);
+ 	 ret.code = KADM5_AUTH_MODIFY;
+     } else {
+ 	 ret.code = kadm5_modify_policy((void *)handle, &arg->rec,
+ 					     arg->mask);
+-	 krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_modify_policy",
+-		((prime_arg == NULL) ? "(null)" : prime_arg),	    
+-		((ret.code == 0) ? "success" : error_message(ret.code)), 
+-		client_name.value, service_name.value,
+-		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));	
++	 log_done("kadm5_modify_policy",
++		  ((prime_arg == NULL) ? "(null)" : prime_arg),	    
++		  ((ret.code == 0) ? "success" : error_message(ret.code)), 
++		  &client_name, &service_name, rqstp);
+     }
+     free_server_handle(handle);
+     gss_release_buffer(&minor_stat, &client_name);
+@@ -1337,15 +1369,13 @@ get_policy_1_svc(gpol_arg *arg, struct s
+ 					  &ret.rec);
+ 	 }
+ 	 
+-	 krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname,
+-		((prime_arg == NULL) ? "(null)" : prime_arg),
+-		((ret.code == 0) ? "success" : error_message(ret.code)), 
+-		client_name.value, service_name.value,
+-		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));	 
++	 log_done(funcname,
++		  ((prime_arg == NULL) ? "(null)" : prime_arg),
++		  ((ret.code == 0) ? "success" : error_message(ret.code)), 
++		  &client_name, &service_name, rqstp);
+     } else {
+-	 krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname,
+-		prime_arg, client_name.value, service_name.value,
+-		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++	 log_unauth(funcname, prime_arg,
++		    &client_name, &service_name, rqstp);
+     }
+     free_server_handle(handle);
+     gss_release_buffer(&minor_stat, &client_name);
+@@ -1388,18 +1418,15 @@ get_pols_1_svc(gpols_arg *arg, struct sv
+ 					      rqst2name(rqstp),
+ 					      ACL_LIST, NULL, NULL)) {
+ 	 ret.code = KADM5_AUTH_LIST;
+-	 krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_get_policies",
+-		prime_arg, client_name.value, service_name.value,
+-		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++	 log_unauth("kadm5_get_policies", prime_arg,
++		    &client_name, &service_name, rqstp);
+     } else {
+ 	 ret.code  = kadm5_get_policies((void *)handle,
+ 					       arg->exp, &ret.pols,
+ 					       &ret.count);
+-	 krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_get_policies",
+-		prime_arg,  
+-		((ret.code == 0) ? "success" : error_message(ret.code)), 
+-		client_name.value, service_name.value,
+-		inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++	 log_done("kadm5_get_policies", prime_arg,
++		  ((ret.code == 0) ? "success" : error_message(ret.code)), 
++		  &client_name, &service_name, rqstp);
+     }
+     free_server_handle(handle);
+     gss_release_buffer(&minor_stat, &client_name);
+@@ -1432,11 +1459,9 @@ getprivs_ret * get_privs_1_svc(krb5_ui_4
+      }
+ 
+      ret.code = kadm5_get_privs((void *)handle, &ret.privs);
+-     krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_get_privs",
+-	    client_name.value, 
+-	    ((ret.code == 0) ? "success" : error_message(ret.code)), 
+-	    client_name.value, service_name.value,
+-	    inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
++     log_done("kadm5_get_privs", client_name.value,
++	      ((ret.code == 0) ? "success" : error_message(ret.code)), 
++	      &client_name, &service_name, rqstp);
+      free_server_handle(handle);
+      gss_release_buffer(&minor_stat, &client_name);
+      gss_release_buffer(&minor_stat, &service_name);
+@@ -1450,6 +1475,8 @@ generic_ret *init_1_svc(krb5_ui_4 *arg, 
+ 	 			service_name;
+      kadm5_server_handle_t	handle;
+      OM_uint32			minor_stat;
++     size_t clen, slen;
++     char *cdots, *sdots;
+ 
+      xdr_free(xdr_generic_ret, &ret);
+ 
+@@ -1466,12 +1493,18 @@ generic_ret *init_1_svc(krb5_ui_4 *arg, 
+ 	  return &ret;
+      }
+ 
+-     krb5_klog_syslog(LOG_NOTICE, LOG_DONE ", flavor=%d",
++     clen = client_name.length;
++     trunc_name(&clen, &cdots);
++     slen = service_name.length;
++     trunc_name(&slen, &sdots);
++     krb5_klog_syslog(LOG_NOTICE, "Request: %s, %.*s%s, %s, "
++	    "client=%.*s%s, service=%.*s%s, addr=%s, flavor=%d",
+ 	    (ret.api_version == KADM5_API_VERSION_1 ?
+ 	     "kadm5_init (V1)" : "kadm5_init"),
+-	    client_name.value,
++	    clen, client_name.value, cdots,
+ 	    (ret.code == 0) ? "success" : error_message(ret.code),
+-	    client_name.value, service_name.value,
++	    clen, client_name.value, cdots,
++	    slen, service_name.value, sdots,
+ 	    inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr),
+ 	    rqstp->rq_cred.oa_flavor);
+      gss_release_buffer(&minor_stat, &client_name);
diff --git a/security/mit-krb5/patches/patch-bb b/security/mit-krb5/patches/patch-bb
new file mode 100644
index 00000000000..c2da26fd0b7
--- /dev/null
+++ b/security/mit-krb5/patches/patch-bb
@@ -0,0 +1,34 @@
+$NetBSD$
+
+--- kadmin/server/kadm_rpc_svc.c.orig	2004-06-16 05:11:51.000000000 +0200
++++ kadmin/server/kadm_rpc_svc.c
+@@ -249,6 +249,8 @@ check_rpcsec_auth(struct svc_req *rqstp)
+      krb5_data *c1, *c2, *realm;
+      gss_buffer_desc gss_str;
+      kadm5_server_handle_t handle;
++     size_t slen;
++     char *sdots;
+ 
+      success = 0;
+      handle = (kadm5_server_handle_t)global_server_handle;
+@@ -273,6 +275,9 @@ check_rpcsec_auth(struct svc_req *rqstp)
+      if (ret == 0)
+ 	  goto fail_name;
+ 
++     slen = gss_str.length;
++     trunc_name(&slen, &sdots);
++
+      /*
+       * Since we accept with GSS_C_NO_NAME, the client can authenticate
+       * against the entire kdb.  Therefore, ensure that the service
+@@ -295,8 +300,8 @@ check_rpcsec_auth(struct svc_req *rqstp)
+ 
+ fail_princ:
+      if (!success) {
+-	 krb5_klog_syslog(LOG_ERR, "bad service principal %.*s",
+-			  gss_str.length, gss_str.value);
++	 krb5_klog_syslog(LOG_ERR, "bad service principal %.*s%s",
++			  slen, gss_str.value, sdots);
+      }
+      gss_release_buffer(&min_stat, &gss_str);
+      krb5_free_principal(kctx, princ);
diff --git a/security/mit-krb5/patches/patch-bc b/security/mit-krb5/patches/patch-bc
new file mode 100644
index 00000000000..c267502a29f
--- /dev/null
+++ b/security/mit-krb5/patches/patch-bc
@@ -0,0 +1,17 @@
+$NetBSD$
+
+--- kadmin/server/misc.c.orig	2004-10-29 01:41:10.000000000 +0200
++++ kadmin/server/misc.c
+@@ -149,3 +149,12 @@ check_min_life(void *server_handle, krb5
+ 
+     return kadm5_free_principal_ent(handle->lhandle, &princ);
+ }
++
++#define MAXPRINCLEN 125
++
++void
++trunc_name(size_t *len, char **dots)
++{
++	*dots = *len > MAXPRINCLEN ? "..." : "";
++	*len = *len > MAXPRINCLEN ? MAXPRINCLEN : *len;
++}
diff --git a/security/mit-krb5/patches/patch-bd b/security/mit-krb5/patches/patch-bd
new file mode 100644
index 00000000000..5e37a3adcd1
--- /dev/null
+++ b/security/mit-krb5/patches/patch-bd
@@ -0,0 +1,35 @@
+$NetBSD$
+
+--- lib/kadm5/logger.c.orig	2002-09-18 22:44:13.000000000 +0200
++++ lib/kadm5/logger.c
+@@ -45,7 +45,7 @@
+ #include <varargs.h>
+ #endif	/* HAVE_STDARG_H */
+ 
+-#define	KRB5_KLOG_MAX_ERRMSG_SIZE	1024
++#define	KRB5_KLOG_MAX_ERRMSG_SIZE	2048
+ #ifndef	MAXHOSTNAMELEN
+ #define	MAXHOSTNAMELEN	256
+ #endif	/* MAXHOSTNAMELEN */
+@@ -256,7 +256,9 @@ klog_com_err_proc(const char *whoami, lo
+ #endif	/* HAVE_SYSLOG */
+ 
+     /* Now format the actual message */
+-#if	HAVE_VSPRINTF
++#if	HAVE_VSNPRINTF
++    vsnprintf(cp, sizeof(outbuf) - (cp - outbuf), actual_format, ap);
++#elif	HAVE_VSPRINTF
+     vsprintf(cp, actual_format, ap);
+ #else	/* HAVE_VSPRINTF */
+     sprintf(cp, actual_format, ((int *) ap)[0], ((int *) ap)[1],
+@@ -843,7 +845,9 @@ klog_vsyslog(int priority, const char *f
+     syslogp = &outbuf[strlen(outbuf)];
+ 
+     /* Now format the actual message */
+-#ifdef	HAVE_VSPRINTF
++#ifdef	HAVE_VSNPRINTF
++    vsnprintf(syslogp, sizeof(outbuf) - (syslogp - outbuf), format, arglist);
++#elif	HAVE_VSPRINTF
+     vsprintf(syslogp, format, arglist);
+ #else	/* HAVE_VSPRINTF */
+     sprintf(syslogp, format, ((int *) arglist)[0], ((int *) arglist)[1],
diff --git a/security/mit-krb5/patches/patch-be b/security/mit-krb5/patches/patch-be
new file mode 100644
index 00000000000..4a2083c5d9d
--- /dev/null
+++ b/security/mit-krb5/patches/patch-be
@@ -0,0 +1,17 @@
+$NetBSD$
+
+--- lib/gssapi/krb5/k5unseal.c.orig	2004-04-13 22:00:19.000000000 +0200
++++ lib/gssapi/krb5/k5unseal.c
+@@ -457,8 +457,11 @@ kg_unseal_v1(context, minor_status, ctx,
+ 
+     if ((ctx->initiate && direction != 0xff) ||
+ 	(!ctx->initiate && direction != 0)) {
+-	if (toktype == KG_TOK_SEAL_MSG)
++	if (toktype == KG_TOK_SEAL_MSG) {
+ 	    xfree(token.value);
++	    message_buffer->value = NULL;
++	    message_buffer->length = 0;
++	}
+ 	*minor_status = G_BAD_DIRECTION;
+ 	return(GSS_S_BAD_SIG);
+     }
diff --git a/security/mit-krb5/patches/patch-bf b/security/mit-krb5/patches/patch-bf
new file mode 100644
index 00000000000..a392d75875f
--- /dev/null
+++ b/security/mit-krb5/patches/patch-bf
@@ -0,0 +1,13 @@
+$NetBSD: patch-bf,v 1.1.2.2 2008/06/08 11:47:13 tron Exp $
+
+--- lib/rpc/svc_auth_gssapi.c.orig	2004-09-17 23:52:11.000000000 +0200
++++ lib/rpc/svc_auth_gssapi.c
+@@ -148,6 +148,8 @@ enum auth_stat gssrpc__svcauth_gssapi(
+      rqst->rq_xprt->xp_auth = &svc_auth_none;
+      
+      memset((char *) &call_res, 0, sizeof(call_res));
++     creds.client_handle.length = 0;
++     creds.client_handle.value = NULL;
+      
+      cred = &msg->rm_call.cb_cred;
+      verf = &msg->rm_call.cb_verf;
diff --git a/security/mit-krb5/patches/patch-bg b/security/mit-krb5/patches/patch-bg
new file mode 100644
index 00000000000..abe7c48e611
--- /dev/null
+++ b/security/mit-krb5/patches/patch-bg
@@ -0,0 +1,43 @@
+$NetBSD: patch-bg,v 1.1.2.2 2008/06/08 11:47:13 tron Exp $
+
+--- lib/rpc/svc_auth_unix.c.orig	2004-09-17 23:52:11.000000000 +0200
++++ lib/rpc/svc_auth_unix.c
+@@ -64,8 +64,7 @@ gssrpc__svcauth_unix(
+ 		char area_machname[MAX_MACHINE_NAME+1];
+ 		int area_gids[NGRPS];
+ 	} *area;
+-	u_int auth_len;
+-	int str_len, gid_len;
++	u_int auth_len, str_len, gid_len;
+ 	register int i;
+ 
+ 	rqst->rq_xprt->xp_auth = &svc_auth_none;
+@@ -74,7 +73,9 @@ gssrpc__svcauth_unix(
+ 	aup = &area->area_aup;
+ 	aup->aup_machname = area->area_machname;
+ 	aup->aup_gids = area->area_gids;
+-	auth_len = (u_int)msg->rm_call.cb_cred.oa_length;
++	auth_len = msg->rm_call.cb_cred.oa_length;
++	if (auth_len > INT_MAX)
++		return AUTH_BADCRED;
+ 	xdrmem_create(&xdrs, msg->rm_call.cb_cred.oa_base, auth_len,XDR_DECODE);
+ 	buf = XDR_INLINE(&xdrs, (int)auth_len);
+ 	if (buf != NULL) {
+@@ -84,7 +85,7 @@ gssrpc__svcauth_unix(
+ 			stat = AUTH_BADCRED;
+ 			goto done;
+ 		}
+-		memmove(aup->aup_machname, (caddr_t)buf, (u_int)str_len);
++		memmove(aup->aup_machname, buf, str_len);
+ 		aup->aup_machname[str_len] = 0;
+ 		str_len = RNDUP(str_len);
+ 		buf += str_len / BYTES_PER_XDR_UNIT;
+@@ -104,7 +105,7 @@ gssrpc__svcauth_unix(
+ 		 * timestamp, hostname len (0), uid, gid, and gids len (0).
+ 		 */
+ 		if ((5 + gid_len) * BYTES_PER_XDR_UNIT + str_len > auth_len) {
+-			(void) printf("bad auth_len gid %d str %d auth %d\n",
++			(void) printf("bad auth_len gid %u str %u auth %u\n",
+ 			    gid_len, str_len, auth_len);
+ 			stat = AUTH_BADCRED;
+ 			goto done;