Eric Radman : a Journal

Kerberos and OpenBSD

If your workplace uses Kerberos there is a good chance that they provide the list of KDC servers via DNS SRV records, and Heimdal Kerberos will do this lookup automatically 

$ host -t srv _kerberos._udp.eradman.com

krb5.conf

A basic configuration for /etc/heimdal/krb5.conf appears as such 

 [libdefaults]
   ignore_acceptor_hostname = true
   rdns = false
   default_realm = ERADMAN.COM

 [realms]
   ERADMAN.COM = {
           default_domain = ERADMAN.COM
   }

 [domain_realm]
 .ERADMAN.COM = ERADMAN.COM
 ERADMAN.COM = ERADMAN.COM

Now get a ticket 

$ kinit
radman@ERADMAN.COM's Password: *********
$ klist
Credentials cache: FILE:/tmp/krb5cc_1000
        Principal: eradman@ERADMAN.COM

  Issued                Expires               Principal
Oct 31 10:02:30 2017  Oct 31 20:02:30 2017  krbtgt/ERADMAN.COM@ERADMAN.COM

Firefox

To enable Firefox to pick use Kerberos we need to point it to the GSSAPI library from the heimdal package. For automated configuration this means installing /usr/local/lib/firefox/browser/defaults/preferences/openbsd.js 

pref("network.negotiate-auth.allow-non-fqdn", true);
pref("network.negotiate-auth.gsslib", "/usr/local/heimdal/lib/libgssapi.so.9.0");
pref("network.negotiate-auth.trusted-uris", "eradman.com");
pref("network.negotiate-auth.using-native-gsslib", false);

Since the OpenBSD build of Firefox is patched to use unveil(2), add an entry to /etc/firefox/unveil.main for allowing read of the Heimdal shared libraries 

# kerberos
/usr/lib r
/usr/local/heimdal/lib r

Chromium

Chromium is not built with Kerberos support on OpenBSD, but it can be added by modifying /usr/ports/www/chromium/Makefile 

120c120
<    use_kerberos=false \
-
>    use_kerberos=true \
131
<    extra_cppflags=\"-idirafter ... \"
-
>    extra_cppflags=\"-idirafter /usr/local/heimdal/include ... \"

Run make install and a mere 24 hours later the build should be complete. A policy file can be applied for installing the file /etc/chromium/policies/managed/openbsd.json 

{
  "AuthServerWhitelist": "*.eradman.com",
  "GSSAPILibraryName": "/usr/local/heimdal/lib/libgssapi.so.9.0"
}

The OpenBSD build of Chromium is patched to use unveil(2), add an entry to /etc/chromium/unveil.main 

# kerberos
/usr/local/heimdal/lib r
/usr/lib r

As well as /etc/chromium/unveil.utility_network 

# kerberos
/usr/local/heimdal/lib r
/usr/local/lib r
/usr/lib r

After installing this file, navigate to chrome://policy to see if all settings applied.