Kerberos support with web browser?
 

I setup the latest Maemo SDK, and built a fresh copy of openssh w/kerberos support, and I'd like to expand the number of kerberos-aware apps on my tablet.

I'm not sure if this is a silly question, but is the web browser kerberos-aware, or will it leverage the krb5 libraries/utilities if I try to use it with kerberos-aware web apps?

When I'm at work, I can use Firefox on my desktop with a kerberos-aware CAS (single sign-on w/Tomcat, LDAP back-end, etc...) via SPNEGO w/very simple tweaks of the Firefox useragent string and the network.negotiate-auth.trusted.uris in about:config.

Any idea if this is something that could work with the Maemo web browser, can the useragent string be adjusted, and will it pay attention to my TGTs via kerberos utils?

Re: Kerberos support with web browser?
 

Hmm, guess I'll reply to my own thread :)

So, I verified that my openssh w/kerberos support is now working with kinit -f and a couple of minor tweaks to /etc/ssh/ssh_config and /etc/krb5.conf.

And now I'm trying to get the microb browser working, but I'm not sure what I can do to get some verbose/debug output...

I noticed that the general.useragent.vendor string gets reset when I open/close the browser, and that's a bit annoying, but I'm guessing something else is wrong :)

network.negotiate-auth.using-native-gsslib true
network.negotiate-auth.gsslib string
network.negotiate-auth.trusted-uris https://somewhere.com
network.negotiate-auth.delegation-uris https://somewhere.com

I've tried toggling the native-gsslib setting to false, and specifying a path for network.negotiate-auth.gsslib string to /usr/lib/libgssapi_krb5.so.2.2 (with the krb5 clients/libraries installed), but that doesn't seem to do the trick either.

Is there a way to get verbose/debug info out of the microb browser, so that I can get a bigger hint as to what might else might be going wrong? On a related note, what's the trick to getting the microb-browser installed in the (latest) SDK? apt-get install microb-browser doesn't seem to be good enough :)

If any of the admins would like to relocate this thread to the Developers section, I wouldn't object, and maybe it's more likely to get (some) feedback there.

Re: Kerberos support with web browser?
 

I'm the maintainer for the krb5 and openafs maemo extras packages. Did you compile against the krb5 package from extras? I haven't use SPENGO before, but I have some possible hints. Can you install the LiveHTTPHeaders extension to snoop the traffic? Is NTLM authentication involved? Run "klist -e" and check /etc/krb5.conf to make sure that you have the same encryption types configured as you use on your desktop.

Re: Kerberos support with web browser?
 

Well, I don't know what the trick is to install packages in the scratchbox environment... variants of fakeroot apt-get install, apt-get install krb5, krb-utils, etc... weren't going anywhere, so I built kerberos (krb5-1.6.3) from source with a --prefix=/usr, and did the same with openssh 4.7p1 from source, --prefix=/usr --sysconfdir=/etc/ssh, but just copied the 'ssh' binary from scratchbox to my tablet.

In other words, kerberos and openssh in the scratchbox environment were built/installed from source, but I installed the krb5 utils from (your) binary packages on the tablet itself, and the only file I grabbed from my scratchbox builds is the 'ssh' binary, and replaced /usr/bin/ssh with my kerberized ssh.

I'm not having trouble with the kerberized ssh; that works great after I do a kinit -f, and I can ssh to other (Unix/Solaris) machines that are kerberos aware.

klist -e looks the same on my desktop and tablet

Etype (skey, tkt): Triple DES cbc mode with HMAC/sha1, Triple DES cbc mode with HMAC/sha1

NTLM authentication isn't involved, as the kerberos servers are also Solaris boxes, and there isn't any Wndows/AD infrastructure tied to any of this.

Silly question... is the LiveHTTPHeaders extension available on the tablet, or is that just an option on the desktop?

I just installed the LiveHTTPHeaders extension on my desktop, and I see the communication in 1), 2), and 3) here. That page is about writing a SPNEGO java client, but the header details are the common part for the browser communication.

http://s2.diffuse.it/blog/show/6602-...tion_with_Java

Looks like there's also a SPNEGO-related RFC mentioned on the curl site...

http://curl.haxx.se/rfc/draft-brezak-spnego-http-04.txt

Finally, I don't have any explicit encryption methods defined in /etc/krb5.conf on my desktop or tablet, and the desktop and tablet have identical krb5.conf files (obfuscated domain for the sake of this post)

[libdefaults]
# Lookup the realm from the TXT record
default_realm = SOMEWHERE.COM
dns_lookup_realm = on

# Lookup the KDCs from SRV records
dns_lookup_kdc = on

# Bind your TGT and service tickets to your IP address
# Prevents a stolen ticket from being used from a different IP address.
noaddresses = on

[appdefaults]
renewable = true
forwardable = true

[realms]
SOMEWHERE.COM = {
admin_server = kerberos-2.somewhere.com
}

[domain_realm]
.somewhere.com = SOMEWHERE.COM
somewhere.com = SOMEWHERE.COM

Re: Kerberos support with web browser?
 

Unfortunately, I know very little about SPNEGO, the only guidance I can offer at this point is to ask your question on the kerberos mailing list at https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Kerberos support with web browser?
 

I was more interested in trying to get more verbose/debug info out of the maemo browser, and figure out if it's even trying to do anything with the kerberos-related tweaks in about:config at all.

I've setup a handful of linux and mac os x machines as kerberos clients, tweaked Safari and Firefox to get the SPNEGO bits working, so my point of failure is the maemo browser on the tablet from what I can tell.

Re: Kerberos support with web browser?
 

Any chance your kerberos-enabled openssh is available to others?

I've been searching everywhere for this, but this is the only mention I've found of it existing for Maemo.

Re: Kerberos support with web browser?
 

This seems really amazing, I can't wait!