From: Michael R Sweet <msweet@msweet.org>
Date: Sat, 6 Mar 2021 16:00:07 +0000 (-0500)
Subject: Deprecate Kerberos authentication (Issue #98)
X-Git-Tag: v2.4b1~234
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6d78a34e2481941ec93cf1af6b55cf54d217adf8;p=thirdparty%2Fcups.git

Deprecate Kerberos authentication (Issue #98)

Note: Kerberos is no longer enabled by default.  You must add the
"--enable-gssapi" configure option to build CUPS with Kerberos support.
---

diff --git a/CHANGES.md b/CHANGES.md
index f91697397a..8261c6ee02 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -11,6 +11,7 @@ CUPS v2.4rc1 (Pending)
 - The `cupsfilter` command now shows error messages when options are used
   incorrectly (Issue #88)
 - Documentation fixes (Issue #92)
+- Kerberos (`AuthType Negotiate`) authentication is now deprecated (Issue #98)
 - Removed support for the (long deprecated and unused) `FontPath`,
   `LPDConfigFile`, `RIPCache`, and `SMBConfigFile` directives in `cupsd.conf`
   and `cups-files.conf`.
diff --git a/config-scripts/cups-gssapi.m4 b/config-scripts/cups-gssapi.m4
index e18f264561..8af2e8dc22 100644
--- a/config-scripts/cups-gssapi.m4
+++ b/config-scripts/cups-gssapi.m4
@@ -1,123 +1,135 @@
 dnl
 dnl GSSAPI/Kerberos library detection for CUPS.
 dnl
-dnl Copyright 2007-2017 by Apple Inc.
-dnl Copyright 2006-2007 by Easy Software Products.
+dnl Copyright © 2021 by OpenPrinting.
+dnl Copyright @ 2007-2017 by Apple Inc.
+dnl Copyright @ 2006-2007 by Easy Software Products.
 dnl
 dnl This file contains Kerberos support code, copyright 2006 by
 dnl Jelmer Vernooij.
 dnl
-dnl Licensed under Apache License v2.0.  See the file "LICENSE" for more information.
+dnl Licensed under Apache License v2.0.  See the file "LICENSE" for more
+dnl information.
 dnl
 
-AC_ARG_ENABLE(gssapi, [  --disable-gssapi        disable GSSAPI support])
+AC_ARG_ENABLE([gssapi], AS_HELP_STRING([--enable-gssapi], [enable (deprecated) GSSAPI/Kerberos support]))
 
 LIBGSSAPI=""
-AC_SUBST(LIBGSSAPI)
+AC_SUBST([LIBGSSAPI])
 
-if test x$enable_gssapi != xno; then
-	AC_PATH_TOOL(KRB5CONFIG, krb5-config)
-	if test "x$KRB5CONFIG" != x; then
-		case "$host_os_name" in
-			darwin)
-				# macOS weak-links to the Kerberos framework...
-				LIBGSSAPI="-weak_framework Kerberos"
-				AC_MSG_CHECKING(for GSS framework)
-				if test -d /System/Library/Frameworks/GSS.framework; then
-					AC_MSG_RESULT(yes)
-					LIBGSSAPI="$LIBGSSAPI -weak_framework GSS"
-				else
-					AC_MSG_RESULT(no)
-				fi
-				;;
-			sunos*)
-				# Solaris has a non-standard krb5-config, don't use it!
-				AC_CHECK_LIB(gss, gss_display_status,
-					AC_DEFINE(HAVE_GSSAPI, 1, [Whether GSSAPI is available])
-					CFLAGS="`$KRB5CONFIG --cflags` $CFLAGS"
-					CPPFLAGS="`$KRB5CONFIG --cflags` $CPPFLAGS"
-					LIBGSSAPI="-lgss `$KRB5CONFIG --libs`")
-				;;
-			*)
-				# Other platforms just ask for GSSAPI
-				CFLAGS="`$KRB5CONFIG --cflags gssapi` $CFLAGS"
-				CPPFLAGS="`$KRB5CONFIG --cflags gssapi` $CPPFLAGS"
-				LIBGSSAPI="`$KRB5CONFIG --libs gssapi`"
-				;;
-		esac
-		AC_DEFINE(HAVE_GSSAPI, 1, [Whether GSSAPI is available])
-	else
-		# Check for vendor-specific implementations...
-		case "$host_os_name" in
-			hp-ux*)
-				AC_CHECK_LIB(gss, gss_display_status,
-					AC_DEFINE(HAVE_GSSAPI, 1, [Whether GSSAPI is available])
-					LIBGSSAPI="-lgss -lgssapi_krb5")
-				;;
-			sunos*)
-				AC_CHECK_LIB(gss, gss_display_status,
-					AC_DEFINE(HAVE_GSSAPI, 1, [Whether GSSAPI is available])
-					LIBGSSAPI="-lgss")
-				;;
-		esac
-	fi
+AS_IF([test x$enable_gssapi = xyes], [
+    AC_PATH_TOOL([KRB5CONFIG], [krb5-config])
+    AS_CASE(["$host_os_name"], [darwin*], [
+	# macOS weak-links to the Kerberos framework...
+	AC_DEFINE([HAVE_GSSAPI], [1], [Is GSSAPI available?])
+	LIBGSSAPI="-weak_framework Kerberos"
+	AC_MSG_CHECKING([for GSS framework])
+	AS_IF([test -d /System/Library/Frameworks/GSS.framework], [
+	    AC_MSG_RESULT([yes])
+	    LIBGSSAPI="$LIBGSSAPI -weak_framework GSS"
+	], [
+	    AC_MSG_RESULT([no])
+	])
+    ], [sunos*], [
+	# Solaris has a non-standard krb5-config, don't use it!
+	SAVELIBS="$LIBS"
+	AC_CHECK_LIB([gss], [gss_display_status], [
+	    AC_DEFINE([HAVE_GSSAPI], [1], [Is GSSAPI available?])
+	    AS_IF([test "x$KRB5CONFIG" != x], [
+		CFLAGS="$($KRB5CONFIG --cflags) $CFLAGS"
+		CPPFLAGS="$($KRB5CONFIG --cflags) $CPPFLAGS"
+		LIBGSSAPI="-lgss $($KRB5CONFIG --libs)"
+	    ], [
+	        LIBGSSAPI="-lgss"
+	    ])
+	], [
+	    AC_MSG_ERROR([--enable-gssapi specified but GSSAPI library cannot be found.])
+	])
+	LIBS="$SAVELIBS"
+    ], [*], [
+	# Other platforms just ask for GSSAPI
+	AS_IF([test "x$KRB5CONFIG" = x], [
+	    AC_MSG_ERROR([--enable-gssapi specified but krb5-config cannot be found.])
+	], [
+	    AC_DEFINE([HAVE_GSSAPI], [1], [Is GSSAPI available?])
+	    CFLAGS="$($KRB5CONFIG --cflags gssapi) $CFLAGS"
+	    CPPFLAGS="$($KRB5CONFIG --cflags gssapi) $CPPFLAGS"
+	    LIBGSSAPI="$($KRB5CONFIG --libs gssapi)"
+	])
+    ])
 
-	if test "x$LIBGSSAPI" != x; then
-		AC_CHECK_HEADER(krb5.h, AC_DEFINE(HAVE_KRB5_H))
-		if test -d /System/Library/Frameworks/GSS.framework; then
-			AC_CHECK_HEADER(GSS/gssapi.h, AC_DEFINE(HAVE_GSS_GSSAPI_H))
-			AC_CHECK_HEADER(GSS/gssapi_generic.h, AC_DEFINE(HAVE_GSS_GSSAPI_GENERIC_H))
-			AC_CHECK_HEADER(GSS/gssapi_spi.h, AC_DEFINE(HAVE_GSS_GSSAPI_SPI_H))
-		else
-			AC_CHECK_HEADER(gssapi.h, AC_DEFINE(HAVE_GSSAPI_H))
-			AC_CHECK_HEADER(gssapi/gssapi.h, AC_DEFINE(HAVE_GSSAPI_GSSAPI_H))
-		fi
+    AC_CHECK_HEADER([krb5.h], [AC_DEFINE([HAVE_KRB5_H], [1], [Have <krb5.h> header?])])
+    AS_IF([test -d /System/Library/Frameworks/GSS.framework], [
+	AC_CHECK_HEADER([GSS/gssapi.h], [AC_DEFINE([HAVE_GSS_GSSAPI_H], [1], [Have <GSS/gssapi.h> header?])])
+	AC_CHECK_HEADER([GSS/gssapi_generic.h], [AC_DEFINE([HAVE_GSS_GSSAPI_GENERIC_H], [1], [Have <GSS/gssapi_generic.h> header?])])
+	AC_CHECK_HEADER([GSS/gssapi_spi.h], [AC_DEFINE([HAVE_GSS_GSSAPI_SPI_H], [1], [Have <GSS/gssapi_spi.h> header?])])
+    ], [
+	AC_CHECK_HEADER([gssapi.h], [AC_DEFINE([HAVE_GSSAPI_H], [1], [Have <gssapi.h> header?])])
+	AC_CHECK_HEADER([gssapi/gssapi.h], [AC_DEFINE([HAVE_GSSAPI_GSSAPI_H], [1], [Have <gssapi/gssapi.h> header?])])
+    ])
 
-		SAVELIBS="$LIBS"
-		LIBS="$LIBS $LIBGSSAPI"
+    SAVELIBS="$LIBS"
+    LIBS="$LIBS $LIBGSSAPI"
 
-		AC_CHECK_FUNC(__ApplePrivate_gss_acquire_cred_ex_f,
-			      AC_DEFINE(HAVE_GSS_ACQUIRE_CRED_EX_F))
+    AC_CHECK_FUNC([__ApplePrivate_gss_acquire_cred_ex_f], [
+	AC_DEFINE([HAVE_GSS_ACQUIRE_CRED_EX_F], [1], [Have __ApplePrivate_gss_acquire_cred_ex_f function?])
+    ])
 
-		AC_MSG_CHECKING(for GSS_C_NT_HOSTBASED_SERVICE)
-		if test x$ac_cv_header_gssapi_gssapi_h = xyes; then
-			AC_TRY_COMPILE([ #include <gssapi/gssapi.h> ],
-				       [ gss_OID foo = GSS_C_NT_HOSTBASED_SERVICE; ],
-				       AC_DEFINE(HAVE_GSS_C_NT_HOSTBASED_SERVICE)
-				       AC_MSG_RESULT(yes),
-				       AC_MSG_RESULT(no))
-		elif test x$ac_cv_header_gss_gssapi_h = xyes; then
-			AC_TRY_COMPILE([ #include <GSS/gssapi.h> ],
-				       [ gss_OID foo = GSS_C_NT_HOSTBASED_SERVICE; ],
-				       AC_DEFINE(HAVE_GSS_C_NT_HOSTBASED_SERVICE)
-				       AC_MSG_RESULT(yes),
-				       AC_MSG_RESULT(no))
-		else
-			AC_TRY_COMPILE([ #include <gssapi.h> ],
-				       [ gss_OID foo = GSS_C_NT_HOSTBASED_SERVICE; ],
-				       AC_DEFINE(HAVE_GSS_C_NT_HOSTBASED_SERVICE)
-				       AC_MSG_RESULT(yes),
-				       AC_MSG_RESULT(no))
-		fi
+    AC_MSG_CHECKING([for GSS_C_NT_HOSTBASED_SERVICE])
+    AS_IF([test x$ac_cv_header_gssapi_gssapi_h = xyes], [
+	AC_COMPILE_IFELSE([
+	    AC_LANG_PROGRAM([[#include <gssapi/gssapi.h>]], [[
+	        gss_OID foo = GSS_C_NT_HOSTBASED_SERVICE;
+	    ]])
+	], [
+	    AC_DEFINE([HAVE_GSS_C_NT_HOSTBASED_SERVICE], [1], [Have GSS_C_NT_HOSTBASED_SERVICE?])
+	    AC_MSG_RESULT([yes])
+	], [
+	    AC_MSG_RESULT([no])
+	])
+    ], [test x$ac_cv_header_gss_gssapi_h = xyes], [
+        AC_COMPILE_IFELSE([
+            AC_LANG_PROGRAM([[#include <GSS/gssapi.h>]], [[
+	        gss_OID foo = GSS_C_NT_HOSTBASED_SERVICE;
+	    ]])
+	], [
+	    AC_DEFINE([HAVE_GSS_C_NT_HOSTBASED_SERVICE], [1], [Have GSS_C_NT_HOSTBASED_SERVICE?])
+	    AC_MSG_RESULT([yes])
+	], [
+	    AC_MSG_RESULT([no])
+	])
+    ], [
+        AC_COMPILE_IFELSE([
+            AC_LANG_PROGRAM([[#include <gssapi.h>]], [[
+	        gss_OID foo = GSS_C_NT_HOSTBASED_SERVICE;
+	    ]])
+	], [
+	    AC_DEFINE([HAVE_GSS_C_NT_HOSTBASED_SERVICE], [1], [Have GSS_C_NT_HOSTBASED_SERVICE?])
+	    AC_MSG_RESULT([yes])
+	], [
+	    AC_MSG_RESULT([no])
+	])
+    ])
 
-		LIBS="$SAVELIBS"
-	fi
-fi
+    LIBS="$SAVELIBS"
+])
 
 dnl Default GSS service name...
-AC_ARG_WITH(gssservicename, [  --with-gssservicename   set default gss service name],
-	default_gssservicename="$withval",
-	default_gssservicename="default")
+AC_ARG_WITH([gssservicename], AS_HELP_STRING([--with-gssservicename], [set default gss service name]), [
+    default_gssservicename="$withval"
+], [
+    default_gssservicename="default"
+])
 
-if test x$default_gssservicename != xno; then
-	if test "x$default_gssservicename" = "xdefault"; then
-		CUPS_DEFAULT_GSSSERVICENAME="host"
-	else
-		CUPS_DEFAULT_GSSSERVICENAME="$default_gssservicename"
-	fi
-else
-	CUPS_DEFAULT_GSSSERVICENAME=""
-fi
+AS_IF([test x$default_gssservicename != xno], [
+    AS_IF([test "x$default_gssservicename" = "xdefault"], [
+	CUPS_DEFAULT_GSSSERVICENAME="host"
+    ], [
+	CUPS_DEFAULT_GSSSERVICENAME="$default_gssservicename"
+    ])
+], [
+    CUPS_DEFAULT_GSSSERVICENAME=""
+])
 
-AC_SUBST(CUPS_DEFAULT_GSSSERVICENAME)
-AC_DEFINE_UNQUOTED(CUPS_DEFAULT_GSSSERVICENAME, "$CUPS_DEFAULT_GSSSERVICENAME")
+AC_SUBST([CUPS_DEFAULT_GSSSERVICENAME])
+AC_DEFINE_UNQUOTED([CUPS_DEFAULT_GSSSERVICENAME], ["$CUPS_DEFAULT_GSSSERVICENAME"], [Default GSSServiceName value.])
diff --git a/configure b/configure
index 3c995e5c56..740b4b43d1 100755
--- a/configure
+++ b/configure
@@ -1593,7 +1593,7 @@ Optional Features:
   --enable-unit-tests     build and run unit tests
   --enable-relro          build with the relro option
   --enable-sanitizer      build with AddressSanitizer
-  --disable-gssapi        disable GSSAPI support
+  --enable-gssapi         enable (deprecated) GSSAPI/Kerberos support
   --disable-threads       disable multi-threading support
   --disable-ssl           disable SSL/TLS support
   --enable-cdsassl        use CDSA for SSL/TLS support, default=first
@@ -8886,8 +8886,10 @@ fi
 LIBGSSAPI=""
 
 
-if test x$enable_gssapi != xno; then
-	if test -n "$ac_tool_prefix"; then
+if test x$enable_gssapi = xyes
+then :
+
+    if test -n "$ac_tool_prefix"; then
   # Extract the first word of "${ac_tool_prefix}krb5-config", so it can be a program name with args.
 set dummy ${ac_tool_prefix}krb5-config; ac_word=$2
 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
@@ -8995,25 +8997,35 @@ else
   KRB5CONFIG="$ac_cv_path_KRB5CONFIG"
 fi
 
-	if test "x$KRB5CONFIG" != x; then
-		case "$host_os_name" in
-			darwin)
-				# macOS weak-links to the Kerberos framework...
-				LIBGSSAPI="-weak_framework Kerberos"
-				{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for GSS framework" >&5
+    case "$host_os_name" in #(
+  darwin*) :
+
+	# macOS weak-links to the Kerberos framework...
+
+printf "%s\n" "#define HAVE_GSSAPI 1" >>confdefs.h
+
+	LIBGSSAPI="-weak_framework Kerberos"
+	{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for GSS framework" >&5
 printf %s "checking for GSS framework... " >&6; }
-				if test -d /System/Library/Frameworks/GSS.framework; then
-					{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+	if test -d /System/Library/Frameworks/GSS.framework
+then :
+
+	    { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 printf "%s\n" "yes" >&6; }
-					LIBGSSAPI="$LIBGSSAPI -weak_framework GSS"
-				else
-					{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
+	    LIBGSSAPI="$LIBGSSAPI -weak_framework GSS"
+
+else $as_nop
+
+	    { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
 printf "%s\n" "no" >&6; }
-				fi
-				;;
-			sunos*)
-				# Solaris has a non-standard krb5-config, don't use it!
-				{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for gss_display_status in -lgss" >&5
+
+fi
+     ;; #(
+  sunos*) :
+
+	# Solaris has a non-standard krb5-config, don't use it!
+	SAVELIBS="$LIBS"
+	{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for gss_display_status in -lgss" >&5
 printf %s "checking for gss_display_status in -lgss... " >&6; }
 if test ${ac_cv_lib_gss_gss_display_status+y}
 then :
@@ -9051,275 +9063,271 @@ printf "%s\n" "$ac_cv_lib_gss_gss_display_status" >&6; }
 if test "x$ac_cv_lib_gss_gss_display_status" = xyes
 then :
 
-printf "%s\n" "#define HAVE_GSSAPI 1" >>confdefs.h
-
-					CFLAGS="`$KRB5CONFIG --cflags` $CFLAGS"
-					CPPFLAGS="`$KRB5CONFIG --cflags` $CPPFLAGS"
-					LIBGSSAPI="-lgss `$KRB5CONFIG --libs`"
-fi
-
-				;;
-			*)
-				# Other platforms just ask for GSSAPI
-				CFLAGS="`$KRB5CONFIG --cflags gssapi` $CFLAGS"
-				CPPFLAGS="`$KRB5CONFIG --cflags gssapi` $CPPFLAGS"
-				LIBGSSAPI="`$KRB5CONFIG --libs gssapi`"
-				;;
-		esac
 
 printf "%s\n" "#define HAVE_GSSAPI 1" >>confdefs.h
 
-	else
-		# Check for vendor-specific implementations...
-		case "$host_os_name" in
-			hp-ux*)
-				{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for gss_display_status in -lgss" >&5
-printf %s "checking for gss_display_status in -lgss... " >&6; }
-if test ${ac_cv_lib_gss_gss_display_status+y}
+	    if test "x$KRB5CONFIG" != x
 then :
-  printf %s "(cached) " >&6
-else $as_nop
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lgss  $LIBS"
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h.  */
 
-/* Override any GCC internal prototype to avoid an error.
-   Use char because int might match the return type of a GCC
-   builtin and then its argument prototype would still apply.  */
-char gss_display_status ();
-int
-main (void)
-{
-return gss_display_status ();
-  ;
-  return 0;
-}
-_ACEOF
-if ac_fn_c_try_link "$LINENO"
-then :
-  ac_cv_lib_gss_gss_display_status=yes
+		CFLAGS="$($KRB5CONFIG --cflags) $CFLAGS"
+		CPPFLAGS="$($KRB5CONFIG --cflags) $CPPFLAGS"
+		LIBGSSAPI="-lgss $($KRB5CONFIG --libs)"
+
 else $as_nop
-  ac_cv_lib_gss_gss_display_status=no
-fi
-rm -f core conftest.err conftest.$ac_objext conftest.beam \
-    conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_gss_gss_display_status" >&5
-printf "%s\n" "$ac_cv_lib_gss_gss_display_status" >&6; }
-if test "x$ac_cv_lib_gss_gss_display_status" = xyes
-then :
 
-printf "%s\n" "#define HAVE_GSSAPI 1" >>confdefs.h
+	        LIBGSSAPI="-lgss"
 
-					LIBGSSAPI="-lgss -lgssapi_krb5"
 fi
 
-				;;
-			sunos*)
-				{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for gss_display_status in -lgss" >&5
-printf %s "checking for gss_display_status in -lgss... " >&6; }
-if test ${ac_cv_lib_gss_gss_display_status+y}
-then :
-  printf %s "(cached) " >&6
 else $as_nop
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lgss  $LIBS"
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h.  */
 
-/* Override any GCC internal prototype to avoid an error.
-   Use char because int might match the return type of a GCC
-   builtin and then its argument prototype would still apply.  */
-char gss_display_status ();
-int
-main (void)
-{
-return gss_display_status ();
-  ;
-  return 0;
-}
-_ACEOF
-if ac_fn_c_try_link "$LINENO"
-then :
-  ac_cv_lib_gss_gss_display_status=yes
-else $as_nop
-  ac_cv_lib_gss_gss_display_status=no
-fi
-rm -f core conftest.err conftest.$ac_objext conftest.beam \
-    conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
+	    as_fn_error $? "--enable-gssapi specified but GSSAPI library cannot be found." "$LINENO" 5
+
 fi
-{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_gss_gss_display_status" >&5
-printf "%s\n" "$ac_cv_lib_gss_gss_display_status" >&6; }
-if test "x$ac_cv_lib_gss_gss_display_status" = xyes
+
+	LIBS="$SAVELIBS"
+     ;; #(
+  *) :
+
+	# Other platforms just ask for GSSAPI
+	if test "x$KRB5CONFIG" = x
 then :
 
+	    as_fn_error $? "--enable-gssapi specified but krb5-config cannot be found." "$LINENO" 5
+
+else $as_nop
+
+
 printf "%s\n" "#define HAVE_GSSAPI 1" >>confdefs.h
 
-					LIBGSSAPI="-lgss"
-fi
+	    CFLAGS="$($KRB5CONFIG --cflags gssapi) $CFLAGS"
+	    CPPFLAGS="$($KRB5CONFIG --cflags gssapi) $CPPFLAGS"
+	    LIBGSSAPI="$($KRB5CONFIG --libs gssapi)"
 
-				;;
-		esac
-	fi
+fi
+     ;; #(
+  *) :
+     ;;
+esac
 
-	if test "x$LIBGSSAPI" != x; then
-		ac_fn_c_check_header_compile "$LINENO" "krb5.h" "ac_cv_header_krb5_h" "$ac_includes_default"
+    ac_fn_c_check_header_compile "$LINENO" "krb5.h" "ac_cv_header_krb5_h" "$ac_includes_default"
 if test "x$ac_cv_header_krb5_h" = xyes
 then :
-  printf "%s\n" "#define HAVE_KRB5_H 1" >>confdefs.h
+
+printf "%s\n" "#define HAVE_KRB5_H 1" >>confdefs.h
 
 fi
 
-		if test -d /System/Library/Frameworks/GSS.framework; then
-			ac_fn_c_check_header_compile "$LINENO" "GSS/gssapi.h" "ac_cv_header_GSS_gssapi_h" "$ac_includes_default"
+    if test -d /System/Library/Frameworks/GSS.framework
+then :
+
+	ac_fn_c_check_header_compile "$LINENO" "GSS/gssapi.h" "ac_cv_header_GSS_gssapi_h" "$ac_includes_default"
 if test "x$ac_cv_header_GSS_gssapi_h" = xyes
 then :
-  printf "%s\n" "#define HAVE_GSS_GSSAPI_H 1" >>confdefs.h
+
+printf "%s\n" "#define HAVE_GSS_GSSAPI_H 1" >>confdefs.h
 
 fi
 
-			ac_fn_c_check_header_compile "$LINENO" "GSS/gssapi_generic.h" "ac_cv_header_GSS_gssapi_generic_h" "$ac_includes_default"
+	ac_fn_c_check_header_compile "$LINENO" "GSS/gssapi_generic.h" "ac_cv_header_GSS_gssapi_generic_h" "$ac_includes_default"
 if test "x$ac_cv_header_GSS_gssapi_generic_h" = xyes
 then :
-  printf "%s\n" "#define HAVE_GSS_GSSAPI_GENERIC_H 1" >>confdefs.h
+
+printf "%s\n" "#define HAVE_GSS_GSSAPI_GENERIC_H 1" >>confdefs.h
 
 fi
 
-			ac_fn_c_check_header_compile "$LINENO" "GSS/gssapi_spi.h" "ac_cv_header_GSS_gssapi_spi_h" "$ac_includes_default"
+	ac_fn_c_check_header_compile "$LINENO" "GSS/gssapi_spi.h" "ac_cv_header_GSS_gssapi_spi_h" "$ac_includes_default"
 if test "x$ac_cv_header_GSS_gssapi_spi_h" = xyes
 then :
-  printf "%s\n" "#define HAVE_GSS_GSSAPI_SPI_H 1" >>confdefs.h
+
+printf "%s\n" "#define HAVE_GSS_GSSAPI_SPI_H 1" >>confdefs.h
 
 fi
 
-		else
-			ac_fn_c_check_header_compile "$LINENO" "gssapi.h" "ac_cv_header_gssapi_h" "$ac_includes_default"
+
+else $as_nop
+
+	ac_fn_c_check_header_compile "$LINENO" "gssapi.h" "ac_cv_header_gssapi_h" "$ac_includes_default"
 if test "x$ac_cv_header_gssapi_h" = xyes
 then :
-  printf "%s\n" "#define HAVE_GSSAPI_H 1" >>confdefs.h
+
+printf "%s\n" "#define HAVE_GSSAPI_H 1" >>confdefs.h
 
 fi
 
-			ac_fn_c_check_header_compile "$LINENO" "gssapi/gssapi.h" "ac_cv_header_gssapi_gssapi_h" "$ac_includes_default"
+	ac_fn_c_check_header_compile "$LINENO" "gssapi/gssapi.h" "ac_cv_header_gssapi_gssapi_h" "$ac_includes_default"
 if test "x$ac_cv_header_gssapi_gssapi_h" = xyes
 then :
-  printf "%s\n" "#define HAVE_GSSAPI_GSSAPI_H 1" >>confdefs.h
+
+printf "%s\n" "#define HAVE_GSSAPI_GSSAPI_H 1" >>confdefs.h
 
 fi
 
-		fi
 
-		SAVELIBS="$LIBS"
-		LIBS="$LIBS $LIBGSSAPI"
+fi
 
-		ac_fn_c_check_func "$LINENO" "__ApplePrivate_gss_acquire_cred_ex_f" "ac_cv_func___ApplePrivate_gss_acquire_cred_ex_f"
+    SAVELIBS="$LIBS"
+    LIBS="$LIBS $LIBGSSAPI"
+
+    ac_fn_c_check_func "$LINENO" "__ApplePrivate_gss_acquire_cred_ex_f" "ac_cv_func___ApplePrivate_gss_acquire_cred_ex_f"
 if test "x$ac_cv_func___ApplePrivate_gss_acquire_cred_ex_f" = xyes
 then :
-  printf "%s\n" "#define HAVE_GSS_ACQUIRE_CRED_EX_F 1" >>confdefs.h
+
+
+printf "%s\n" "#define HAVE_GSS_ACQUIRE_CRED_EX_F 1" >>confdefs.h
+
 
 fi
 
 
-		{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for GSS_C_NT_HOSTBASED_SERVICE" >&5
+    { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for GSS_C_NT_HOSTBASED_SERVICE" >&5
 printf %s "checking for GSS_C_NT_HOSTBASED_SERVICE... " >&6; }
-		if test x$ac_cv_header_gssapi_gssapi_h = xyes; then
-			cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+    if test x$ac_cv_header_gssapi_gssapi_h = xyes
+then :
+
+	cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
- #include <gssapi/gssapi.h>
+
+	    #include <gssapi/gssapi.h>
 int
 main (void)
 {
- gss_OID foo = GSS_C_NT_HOSTBASED_SERVICE;
+
+	        gss_OID foo = GSS_C_NT_HOSTBASED_SERVICE;
+
   ;
   return 0;
 }
+
 _ACEOF
 if ac_fn_c_try_compile "$LINENO"
 then :
-  printf "%s\n" "#define HAVE_GSS_C_NT_HOSTBASED_SERVICE 1" >>confdefs.h
 
-				       { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+
+printf "%s\n" "#define HAVE_GSS_C_NT_HOSTBASED_SERVICE 1" >>confdefs.h
+
+	    { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 printf "%s\n" "yes" >&6; }
+
 else $as_nop
-  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
+
+	    { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
 printf "%s\n" "no" >&6; }
+
 fi
 rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext
-		elif test x$ac_cv_header_gss_gssapi_h = xyes; then
-			cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+
+elif test x$ac_cv_header_gss_gssapi_h = xyes
+then :
+
+        cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
- #include <GSS/gssapi.h>
+
+            #include <GSS/gssapi.h>
 int
 main (void)
 {
- gss_OID foo = GSS_C_NT_HOSTBASED_SERVICE;
+
+	        gss_OID foo = GSS_C_NT_HOSTBASED_SERVICE;
+
   ;
   return 0;
 }
+
 _ACEOF
 if ac_fn_c_try_compile "$LINENO"
 then :
-  printf "%s\n" "#define HAVE_GSS_C_NT_HOSTBASED_SERVICE 1" >>confdefs.h
 
-				       { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+
+printf "%s\n" "#define HAVE_GSS_C_NT_HOSTBASED_SERVICE 1" >>confdefs.h
+
+	    { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 printf "%s\n" "yes" >&6; }
+
 else $as_nop
-  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
+
+	    { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
 printf "%s\n" "no" >&6; }
+
 fi
 rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext
-		else
-			cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+
+else $as_nop
+
+        cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
- #include <gssapi.h>
+
+            #include <gssapi.h>
 int
 main (void)
 {
- gss_OID foo = GSS_C_NT_HOSTBASED_SERVICE;
+
+	        gss_OID foo = GSS_C_NT_HOSTBASED_SERVICE;
+
   ;
   return 0;
 }
+
 _ACEOF
 if ac_fn_c_try_compile "$LINENO"
 then :
-  printf "%s\n" "#define HAVE_GSS_C_NT_HOSTBASED_SERVICE 1" >>confdefs.h
 
-				       { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+
+printf "%s\n" "#define HAVE_GSS_C_NT_HOSTBASED_SERVICE 1" >>confdefs.h
+
+	    { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 printf "%s\n" "yes" >&6; }
+
 else $as_nop
-  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
+
+	    { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
 printf "%s\n" "no" >&6; }
+
 fi
 rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext
-		fi
 
-		LIBS="$SAVELIBS"
-	fi
+fi
+
+    LIBS="$SAVELIBS"
+
 fi
 
 
 # Check whether --with-gssservicename was given.
 if test ${with_gssservicename+y}
 then :
-  withval=$with_gssservicename; default_gssservicename="$withval"
+  withval=$with_gssservicename;
+    default_gssservicename="$withval"
+
 else $as_nop
-  default_gssservicename="default"
+
+    default_gssservicename="default"
+
 fi
 
 
-if test x$default_gssservicename != xno; then
-	if test "x$default_gssservicename" = "xdefault"; then
-		CUPS_DEFAULT_GSSSERVICENAME="host"
-	else
-		CUPS_DEFAULT_GSSSERVICENAME="$default_gssservicename"
-	fi
-else
-	CUPS_DEFAULT_GSSSERVICENAME=""
+if test x$default_gssservicename != xno
+then :
+
+    if test "x$default_gssservicename" = "xdefault"
+then :
+
+	CUPS_DEFAULT_GSSSERVICENAME="host"
+
+else $as_nop
+
+	CUPS_DEFAULT_GSSSERVICENAME="$default_gssservicename"
+
 fi
 
+else $as_nop
+
+    CUPS_DEFAULT_GSSSERVICENAME=""
+
+fi
+
+
 
 printf "%s\n" "#define CUPS_DEFAULT_GSSSERVICENAME \"$CUPS_DEFAULT_GSSSERVICENAME\"" >>confdefs.h
 
diff --git a/doc/help/kerberos.html b/doc/help/kerberos.html
index 9d5a9ee24e..9b35e0c904 100644
--- a/doc/help/kerberos.html
+++ b/doc/help/kerberos.html
@@ -1,87 +1,75 @@
-<HTML>
+<html>
 <!-- SECTION: Getting Started -->
-<HEAD>
-	<TITLE>Using Kerberos Authentication</TITLE>
-	<LINK REL="STYLESHEET" TYPE="text/css" HREF="../cups-printable.css">
-</HEAD>
-<BODY>
+  <head>
+    <title>Using Kerberos Authentication</title>
+    <link rel="stylesheet" type="text/css" href="../cups-printable.css">
+  </head>
+  <body>
+    <h1 class="title">Using Kerberos Authentication</h1>
 
-<H1 CLASS="title">Using Kerberos Authentication</H1>
+    <p>CUPS allows you to use a Key Distribution Center (KDC) for authentication on your local CUPS server and when printing to a remote authenticated queue. This document describes how to configure CUPS to use Kerberos authentication and provides links to the MIT help pages for configuring Kerberos on your systems and network.</p>
 
-<P>CUPS allows you to use a Key Distribution Center (KDC) for authentication on your local CUPS server and when printing to a remote authenticated queue. This document describes how to configure CUPS to use Kerberos authentication and provides links to the MIT help pages for configuring Kerberos on your systems and network.</P>
+    <blockquote><b>Note:</b> Kerberos authentication is deprecated starting in CUPS 2.4.0. OAuth 2.0 is the recommended SSO replacement.</blockquote>
 
 
-<H2 CLASS="title"><A NAME="REQUIREMENTS">System Requirements</A></H2>
+    <h2 class="title" id="REQUIREMENTS">System Requirements</h2>
 
-<p>The following are required to use Kerberos with CUPS:</p>
+    <p>The following are required to use Kerberos with CUPS:</p>
 
-<ol>
+    <ol>
+      <li>Heimdal Kerberos (any version) or MIT Kerberos (1.6.3 or newer)</li>
+      <li>Properly configured Domain Name System (DNS) infrastructure (for your servers):
+        <ol type="a">
+          <li>DNS server(s) with static IP addresses for all CUPS servers or configured to allow DHCP updates to the host addresses and</li>
+          <li>All CUPS clients and servers configured to use the same DNS server(s).</li>
+        </ol>
+      </li>
 
-	<li>Heimdal Kerberos (any version) or MIT Kerberos (1.6.3 or newer)</li>
+      <li>Properly configured Kerberos infrastructure:
+        <ol type='a'>
+          <li>KDC configured to allow CUPS servers to obtain Service Granting Tickets (SGTs) for the "host" and "HTTP" services/principals,</li>
+          <li>LDAP-based user accounts - both OpenDirectory and ActiveDirectory provide this with the KDC, and</li>
+          <li>CUPS clients and servers bound to the same KDC and LDAP server(s).</li>
+        </ol>
+      </li>
+    </ol>
 
-	<li>Properly configured Domain Name System (DNS) infrastructure (for your servers):<ol type='a'>
-		<li>DNS server(s) with static IP addresses for all CUPS servers or configured to allow DHCP updates to the host addresses and</li>
-		<li>All CUPS clients and servers configured to use the same
-DNS server(s).</li>
-	</ol></li>
 
-	<li>Properly configured Kerberos infrastructure:<ol type='a'>
-		<li>KDC configured to allow CUPS servers to obtain Service Granting Tickets (SGTs) for the "host" and "HTTP" services/principals,</li>
-		<li>LDAP-based user accounts - both OpenDirectory and ActiveDirectory provide this with the KDC, and</li>
-		<li>CUPS clients and servers bound to the same KDC and LDAP
-	server(s).</li>
-	</ol></li>
+    <h2 class="title" id="KRB5">Configuring Kerberos on Your System</h2>
 
-</ol>
+    <p>Before you can use Kerberos with CUPS, you will need to configure Kerberos on your system and setup a system as a KDC. Because this configuration is highly system and site-specific, please consult the following on-line resources provided by the creators of Kerberos at the Massachusetts Institute of Technology (MIT):</p>
 
+    <ul>
+      <li><a href="http://web.mit.edu/kerberos/" target="_blank">Kerberos: The Network Authentication Protocol</a></li>
+      <li><a href="http://web.mit.edu/macdev/KfM/Common/Documentation/faq-osx.html" target="_blank">Kerberos on macOS Frequently Asked Questions</a></li>
+    </ul>
 
-<H2 CLASS="title"><A NAME="KRB5">Configuring Kerberos on Your System</A></H2>
+    <p>The Linux Documentation Project also has a HOWTO on Kerberos:</p>
 
-<P>Before you can use Kerberos with CUPS, you will need to configure Kerberos on your system and setup a system as a KDC. Because this configuration is highly system and site-specific, please consult the following on-line resources provided by the creators of Kerberos at the Massachusetts Institute of Technology (MIT):</P>
+    <ul>
+      <li><a href="http://tldp.org/HOWTO/html_single/Kerberos-Infrastructure-HOWTO/" target="_blank">Kerberos Infrastructure HOWTO</a></li>
+    </ul>
 
-<UL>
 
-	<LI><A HREF="http://web.mit.edu/kerberos/">Kerberos: The Network Authentication Protocol</A></LI>
+    <h2 class="title" id="CUPS">Configuring CUPS to Use Kerberos</h2>
 
-	<LI><A HREF="http://web.mit.edu/macdev/KfM/Common/Documentation/faq-osx.html">Kerberos
-	on macOS Frequently Asked Questions</A></LI>
+    <p>Once you have configured Kerberos on your system(s), you can then enable Kerberos authentication by selecting the <tt>Negotiate</tt> authentication type. The simplest way to do this is using the <tt>cupsctl(8)</tt> command on your server(s):</p>
 
-</UL>
+    <pre class="command"><kbd>cupsctl DefaultAuthType=Negotiate</kbd></pre>
 
-<P>The Linux Documentation Project also has a HOWTO on Kerberos:</P>
+    <p>You can also enable Kerberos from the web interface by checking the <VAR>Use Kerberos Authentication</VAR> box and clicking <VAR>Change Settings</VAR>:</p>
 
-<UL>
+    <pre class="command">https://server.example.com:631/admin</pre>
 
-	<LI><A HREF="http://tldp.org/HOWTO/html_single/Kerberos-Infrastructure-HOWTO/">Kerberos
-	Infrastructure HOWTO</A></LI>
+    <p>After you have enabled Kerberos authentication, use the built-in "authenticated" policy or your own custom policies with the printers you will be sharing. See <a href="policies.html">Managing Operation Policies</a> for more information.</p>
 
-</UL>
 
+    <h2 class="title" id="IMPLEMENT">Implementation Information</h2>
 
-<H2 CLASS="title"><A NAME="CUPS">Configuring CUPS to Use Kerberos</A></H2>
+    <p>CUPS implements Kerberos over HTTP using GSSAPI and the service/principal names "host/server.example.com" for command-line access and "HTTP/server.example.com" for web-based access, where "server.example.com" is replaced by your CUPS server's hostname. Because of limitations in the HTTP GSSAPI protocol extension, only a single domain/KDC is supported for authentication. The (experimental) HTTP extension is described in <a href="http://tools.ietf.org/html/rfc4559">RFC 4559</a>.</p>
 
-<P>Once you have configured Kerberos on your system(s), you can then enable Kerberos authentication by selecting the <tt>Negotiate</tt> authentication type. The simplest way to do this is using the <tt>cupsctl(8)</tt> command on your server(s):</P>
+    <p>When doing printing tasks that require authentication, CUPS requests single-use "tickets" from your login session to authenticate who you are. These tickets give CUPS a username of the form "user@REALM", which is then truncated to just "user" for purposes of user and group checks.</p>
 
-<PRE CLASS="command">
-<KBD>cupsctl DefaultAuthType=Negotiate</KBD>
-</PRE>
-
-<P>You can also enable Kerberos from the web interface by checking the <VAR>Use Kerberos Authentication</VAR> box and clicking <VAR>Change Settings</VAR>:</P>
-
-<PRE CLASS="command">
-http://server.example.com:631/admin
-</PRE>
-
-<P>After you have enabled Kerberos authentication, use the built-in "authenticated" policy or your own custom policies with the printers you will be sharing. See <a href="policies.html">Managing Operation Policies</a> for more information.</P>
-
-
-<H2 CLASS="title"><A NAME="IMPLEMENT">Implementation Information</A></H2>
-
-<P>CUPS implements Kerberos over HTTP using GSSAPI and the service/principal names "host/server.example.com" for command-line access and "HTTP/server.example.com" for web-based access, where "server.example.com" is replaced by your CUPS server's hostname. Because of limitations in the HTTP GSSAPI protocol extension, only a single domain/KDC is supported for authentication. The HTTP extension is described in <a href="http://tools.ietf.org/html/rfc4559">RFC 4559</a>.</P>
-
-<P>When doing printing tasks that require authentication, CUPS requests single-use "tickets" from your login session to authenticate who you are. These tickets give CUPS a username of the form "user@REALM", which is then truncated to just "user" for purposes of user and group checks.</P>
-
-<P>In order to support printing to a shared printer, CUPS runs the IPP or SMB backend as the owner of the print job so it can obtain the necessary credentials when the job is de-spooled to the server.</P>
-
-</BODY>
-</HTML>
+    <p>In order to support printing to a shared printer, CUPS runs the IPP or SMB backend as the owner of the print job so it can obtain the necessary credentials when the job is de-spooled to the server.</p>
+  </body>
+</html>
diff --git a/man/cupsd.conf.5 b/man/cupsd.conf.5
index 966847c8c5..897917405a 100644
--- a/man/cupsd.conf.5
+++ b/man/cupsd.conf.5
@@ -80,8 +80,6 @@ The default is "No".
 .\"#DefaultAuthType
 .TP 5
 \fBDefaultAuthType Basic\fR
-.TP 5
-\fBDefaultAuthType Negotiate\fR
 .br
 Specifies the default type of authentication to use.
 The default is "Basic".
@@ -162,11 +160,6 @@ Specifies the scheduling priority (
 value) of filters that are run to print a job.
 The nice value ranges from 0, the highest priority, to 19, the lowest priority.
 The default is 0.
-.\"#GSSServiceName
-.TP 5
-\fBGSSServiceName \fIname\fR
-Specifies the service name when using Kerberos authentication.
-The default service name is "http."
 .TP 5
 .\"#HostNameLookups
 \fBHostNameLookups On\fR
@@ -701,8 +694,6 @@ The Order directive controls whether Allow lines are evaluated before or after D
 \fBAuthType Basic\fR
 .TP 5
 \fBAuthType Default\fR
-.TP 5
-\fBAuthType Negotiate\fR
 Specifies the type of authentication required.
 The value "Default" corresponds to the DefaultAuthType value.
 .TP 5
@@ -816,6 +807,9 @@ Specifies the list of subscription values to make private.
 The "default" values are "notify-events", "notify-pull-method", "notify-recipient-uri", "notify-subscriber-user-name", and "notify-user-data".
 .SS DEPRECATED DIRECTIVES
 The following directives are deprecated and will be removed in a future release of CUPS:
+.TP 5
+\fBAuthType Negotiate\fR
+Specifies Kerberos authentication is required.
 .\"#Classification
 .TP 5
 \fBClassification \fIbanner\fR
@@ -831,6 +825,14 @@ The default is no classification banner.
 .br
 Specifies whether users may override the classification (cover page) of individual print jobs using the "job-sheets" option.
 The default is "No".
+.TP 5
+\fBDefaultAuthType Negotiate\fR
+Specifies that Kerberos authentication is required by default.
+.\"#GSSServiceName
+.TP 5
+\fBGSSServiceName \fIname\fR
+Specifies the service name when using Kerberos authentication.
+The default service name is "http."
 .\"#PageLogFormat
 .TP 5
 \fBPageLogFormat \fIformat-string\fR