In krb5 1.13, ksu is unable to authenticate with my 
andersk/root@ATHENA.MIT.EDU principal, which is secured with Duo 
two-factor authentication:

$ ksu $USER -n andersk/root
WARNING: Your password may be exposed if you enter it here and are logged
         in remotely using an unsecure (non-encrypted) channel.
Kerberos password for andersk/root@ATHENA.MIT.EDU: : 
ksu: Cannot read password while getting initial credentials
Goodbye

I reported a similar but separate problem with ksu at 
http://krbdev.mit.edu/rt/Ticket/Display.html?id=7862; that one was fixed 
in krb5-1.13-alpha1~225 and krb5-1.12.2-final~55.  This time, it doesn’t 
even get as far as prompting for the second challenge.

kinit still works, and ksu with non-2FA principals still works.

Bisection searches on various branches show that this new problem showed 
up here:

commit 5fd5a67c5a93514e7d0a64425baa007ad91f57de
Author: Nalin Dahyabhai <nalin@redhat.com>
Date:   Tue Sep 16 13:50:05 2014 -0400

    Fix ksu crash in cases where it obtains the TGT
    
    In order to allow ksu to use any locally-present service key for
    verifying creds, the previous change to ksu switched from using a
    retrieved or obtained TGT to fetch creds for the local "host" service,
    and then passing those creds to krb5_verify_init_creds(), to passing the
    retrieved TGT directly to krb5_verify_init_creds().
    
    It did not take care to retrieve the TGT from the temporary ccache if it
    had obtained them, and in those cases it would attempt to verify NULL
    creds.
    
    Modify the krb5_get_tkt_via_passwd() function to call
    krb5_get_init_creds_password(), to pass back the freshly-obtained creds,
    to take a "krb5_get_init_creds_opt" pointer instead of a locally-defined
    options structure, and rename it to ksu_get_tgt_via_passwd().
    
    ticket: 8015 (new)
    target_version: 1.13
    tags: pullup

GOOD krb5-1.14-alpha1~237 (59cbb76 Document KDC TCP listener change)
BAD krb5-1.14-alpha1~236 (5fd5a67 Fix ksu crash in cases where it obtains the TGT)

GOOD krb5-1.13-beta1~9 (8f8cf0e Document KDC TCP listener change)
BAD krb5-1.13-beta1~8 (5ccab82 Fix ksu crash in cases where it obtains the TGT)

Current master (09e8307) and krb5-1.13 (d19f02e) are still broken.  
krb5-1.12 (d93407b) is unaffected.

Anders