Eric Radman : a Journal

Kerberos and OpenBSD

If your workplace uses Kerberos there is a good chance that they provide the list of KDC servers via DNS SRV records, and Heimdal Kerberos will do this lookup automatically

$ host -t srv


A basic configuration for /etc/heimdal/krb5.conf appears as such

   ignore_acceptor_hostname = true
   rdns = false
   default_realm = ERADMAN.COM

           default_domain = ERADMAN.COM


Now get a ticket

$ kinit
radman@ERADMAN.COM's Password: *********
$ klist
Credentials cache: FILE:/tmp/krb5cc_1000
        Principal: eradman@ERADMAN.COM

  Issued                Expires               Principal
Oct 31 10:02:30 2017  Oct 31 20:02:30 2017  krbtgt/ERADMAN.COM@ERADMAN.COM


To enable Firefox to pick use Kerberos we need to point it to the GSSAPI library from the heimdal package. For automated configuration this means installing /usr/local/lib/firefox/browser/defaults/preferences/openbsd.js

pref("network.negotiate-auth.allow-non-fqdn", true);
pref("network.negotiate-auth.gsslib", "/usr/local/heimdal/lib/");
pref("network.negotiate-auth.trusted-uris", "");
pref("network.negotiate-auth.using-native-gsslib", false);

Since the OpenBSD build of Firefox is patched to use unveil(2), add an entry to /etc/firefox/unveil.main for allowing read of the Heimdal shared libraries

# kerberos
/usr/lib r
/usr/local/heimdal/lib r


Chromium is not built with Kerberos support on OpenBSD, but it can be added by modifying /usr/ports/www/chromium/Makefile

<    use_kerberos=false \
>    use_kerberos=true \
<    extra_cppflags=\"-idirafter ... \"
>    extra_cppflags=\"-idirafter /usr/local/heimdal/include ... \"

Run make install and a mere 24 hours later the build should be complete. A policy file can be applied for installing the file /etc/chromium/policies/managed/openbsd.json

  "AuthServerWhitelist": "*",
  "GSSAPILibraryName": "/usr/local/heimdal/lib/"

The OpenBSD build of Chromium is patched to use unveil(2), add an entry to /etc/chromium/unveil.main

# kerberos
/usr/local/heimdal/lib r
/usr/lib r

As well as /etc/chromium/unveil.utility_network

# kerberos
/usr/local/heimdal/lib r
/usr/local/lib r
/usr/lib r

After installing this file, navigate to chrome://policy to see if all settings applied.