Configuring Kerberos for Firefox is ugly

NEW
Unassigned

Status

()

Firefox
Security
8 years ago
2 years ago

People

(Reporter: Matěj Cepl, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

8 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.3) Gecko/20090911 Fedora/3.5.3-1.fc12 Firefox/3.5.3
Build Identifier: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.3) Gecko/20090911 Fedora/3.5.3-1.fc12 Firefox/3.5.3

(originally filed as https://bugzilla.redhat.com/show_bug.cgi?id=526824)
To be able to use FF with kerberos SSO one has to follow the instructions like
this: 
Firefox can use your Kerberos credentials for authentication, but you need to
specify which domains to communicate with, and using which attributes.

1. Open Firefox, and type "about:config" in the Address Bar.
2. In the Search field, type "negotiate".
3. Ensure the following lines reflect your setup. Replace ".example.com" with
your own kerberos domain, including the preceding period (.):

      network.negotiate-auth.trusted-uris  .example.com
      network.negotiate-auth.delegation-uris  .example.com
      network.negotiate-auth.using-native-gsslib true

4. If you are configuring Firefox on Microsoft Windows, make the following
changes instead:

      network.negotiate-auth.trusted-uris  .example.com
      network.auth.use-sspi false
      network.negotiate-auth.delegation-uris  .example.com

5. In Firefox, navigate to the kerberos protected web site and ensure that
there are no Kerberos authentication errors, and that you can see and interact
with the web site. 

This bug is a request to provide a much more user friendly way of accomplishing
the same goal using some kind of click through interface. It should also be
possible to configure it using system management tools and scripts. 

Version-Release number of selected component (if applicable):
Any

Reproducible: Always

Steps to Reproduce:
1.see above
2.
3.
Actual Results:  
making Firefox to work with Kerberos is awfully complicated

Expected Results:  
Fireofx should support Kerberos (aka SPNEGO) "out of the box".

Updated

8 years ago
Status: UNCONFIRMED → NEW
Ever confirmed: true

Comment 1

7 years ago
Kerberos is used in many corporate organizations, whether known or not (eg. as part of AD). If FF can support Kerberos/SPNEGO "out of the box" (or at least without users having to into about:config), it would facilitate the adoption of FF in corporate environments.

Most clients using Kerberos will have an /etc/krb5.conf or an active TGT. In theory, the default_realm configuration directive could help populate the relevant configuration sections or be used instead of internal configuration sections.

POTENTIAL CASES:

1) User is in a single Kerberos domain
* use default_realm stanza in /etc/krb5.conf for configuration
* corporate DNS *should* have appropriate SRV records in DNS.

2) User is in more than one Kerberos domain
* domain_realm can perhaps be used to delimit
* DNS SRV entries for non-primary realms
* active TGTs can give 'hints' as to what domains are to be used

Updated

6 years ago
Depends on: 652196

Comment 2

4 years ago
You can create a file in a directory like /usr/lib64/firefox/browser/defaults/preferences with the following contents:

pref("network.negotiate-auth.trusted-uris", "example.com");

Note that you have to create the appropriate 32-bit or 64-bit one, and that the directory in which it lives has changed recently with an upgrade of firefox.

Perhaps realmd should be doing this, when the machine joins a realm?

You might want to fix bug 981477 before you inflict firefox+Kerberos on people in an automated fashion though...

Comment 3

4 years ago
Oops, sorry, wrong bugzilla. Make that 'bug 890908' in that case.
Component: General → Security

Comment 4

2 years ago
Most of this configuration should be able to go away. These days Kerberos has realm autodiscovery and the ability to proxy over HTTP (MS-KKDCP; we are working on autodiscovery for this too). We are actively working on a PAKE pre-authentication method as well, so there is no possible attack on credentials even when giving packets to a rogue server.

There are only two possible "leakages":
1. the user principal to any listener
2. the browser history to the KDC

In the second case, only server granularity is provided. So this leakage isn't a big deal. It can also be mitigated by asking the user to log in with the existing TGT. It is also mitigated by the fact that such services are largely happening inside a security realm anyway; privacy here is not assumed.

In short, if Firefox encounters a Kerberos realm enrolled server, the user should simply be asked for login. Everything else can, and should, happen transparently.

Updated

2 years ago
Depends on: 890908

Comment 5

2 years ago
Seriously, not before bug 890908 is fixed. You really don't want to automatically use Kerberos when it can make Firefox go off into the weeds for *minutes* at a time without redrawing itself or responding in any way.
You need to log in before you can comment on or make changes to this bug.