NetBSD Developer Documentation: Kerberos Single Sign-On

Some TNF services support Kerberos authentication for single sign-on:

TNF will never use the Kerberos password to authenticate access to the source repository.

How to set your Kerberos password initially.  

$ ssh -t ⟨username⟩@cvs.NetBSD.org pwstore

How to change your Kerberos password.  

$ ssh -t ⟨username⟩@mollari.NetBSD.org passwd -k ⟨username⟩@NETBSD.ORG

How to reset a forgotten Kerberos password.  Send mail to admins@NetBSD.org and request to clear your password. Then set a new initial password like above.

How to get Kerberos tickets for login

How to use Kerberos in the browser

How to get Kerberos tickets for login

NetBSD

Create a file ~/.krb5/config with the following contents: 

[libdefaults]
	name_canon_rules = as-is:match_domain=NetBSD.org

Then run: 

$ kinit ⟨username⟩@NETBSD.ORG

The right-hand side is a Kerberos realm, not a DNS domain. Case is significant!

See the kerberos(8) man page for more details.

macOS (13.4)

Graphical interface
  1. Launch “Ticket Viewer” (at /System/Library/CoreServices/Applications/Ticket Viewer.app)
  2. Press the “Add Identity” button

  3. For “Identity”, enter ⟨username⟩@NETBSD.ORG

    The right-hand side is a Kerberos realm, not a DNS domain. Case is significant!

  4. For “Password”, enter your Kerberos password

    By default Ticket Viewer will record your password in the macOS keychain, so you don't have to re-enter it next time; uncheck “Remember password in my keychain” if you want to avoid this.

  5. Press continue

If successful, you'll be returned to the main window with a new entry below the icons containing ⟨username⟩@NETBSD.ORG and the date and time which the ticket obtained is due to expire.

Command-line interface

$ kinit ⟨username⟩@NETBSD.ORG
⟨username⟩@NETBSD.ORG's Password: 
$

The klist command will show current tickets. A kinit-created entry will also show up in Ticket Viewer.

You can record the password in the macOS keychain with the kinit --keychain option, so you don't have to re-enter it next time you run kinit.

Windows XP

Windows does not provide an easy way to configure and use KDCs different from the one embedded into an Active Directory.

Therefore, to use Kerberos, you should follow the following steps:

  1. Download the MIT Kerberos for Windows installer. It is composed of different tools traditionally found with Kerberos distributions, like kinit(1) or klist(1), and a Network Identity Manager, an application used to manage credential caching of Kerberos tickets.
  2. Install the package. Use the default provided options, then restart the computer.
  3. The Network Identity Manager (PDF) should automatically start when you login. As there is no principal currently configured, it should open a dialog box to obtain the new credentials.

  4. Enter your principal:

    Username:
    username
    Realm:
    NETBSD.ORG
  5. Click Ok. After a few seconds, it should obtain the TGT for you from the NETBSD.ORG KDC.

How to use Kerberos in the browser

Firefox

  1. Open Firefox.
  2. Go to about:config.
  3. Filter for network.negotiate-auth.
  4. Set network.negotiate-auth.trusted-uris to .NetBSD.org. (Note: Not network.negotiate-auth.delegation-uris.)
  5. (Windows only) Filter for use-sspi, then set network.auth.use-sspi to false.

Konqueror

Possibly the same as Safari

Safari (macOS)

  1. Open Safari.
  2. There is no Step 2.

Google Chrome

Run Chrome with the --auth-server-whitelist option. For example, in macOS: 

$ open /Applications/Google\ Chrome.app --args --auth-server-whitelist="*.netbsd.org"

Internet Explorer

Internet Explorer can use Microsoft's built-in Kerberos. Anyone know how? Some possibly relevant links:

Sadly, it seems MS IE can only use tickets cached inside LSA (Local Security Authority), and this cache is only created upon logon through winlogon service. Which means that a host/⟨windows_machine⟩ principal would be needed for each Windows client that wants to cache a TGT. This is only suitable for Intranet-like networks. Maybe there is another way to manage the LSA after login, similar to kinit(1)... --jym