Better Resolution of Kerberos Credential Caches
Improving Multi-Login SSO
March 3, 2017
fedora
fedora-desktop
fedora-security
DevConf is a great time of year. Lots of developers gather in one place and we get to discuss integration issues between projects that may not have a direct relationship. One of those issues this year was the desktop integration of Kerberos authentication.
GNOME Online Accounts has supported the creation of Kerberos accounts since nearly the beginning, thanks to the effort of Debarshi Ray. However, we were made aware of an issue this year that had not come up before. Namely, in a variety of cases GSSAPI would not be able to complete authentication for non-default TGTs.
Roughly, this meant that if you logged into Kerberos using two different
accounts GSSAPI would only be able to complete authentication using your
default credential cache - meaning the last account you logged into. Users
could work around this problem by using kswitch
to change their default
credential cache. However, since authentication transparently failed, there
was no indication to the user that this could work. So the user experience was
particularly poor.
This difficulty became even more noticable after the Fedora deployment of Kerberos by Patrick Uiterwijk. Many Fedora developers also use Kerberos for other realms, so the pain was spreading.
I am happy to say that we have discovered a cure for this malady!
Matt Rogers worked with upstream to merge this patch which causes GSSAPI to do the RightThing™. Robbie Harwood landed the patch in Fedora (rawhide, 26, 25). So we believe this issue to be resolved.
If you’re a Fedora 25 user, please help us test the fix! There is a pending update for krb5 on Bodhi. The easy way to reproduce this issue is as follows:
- Log in with the Kerberos account you want to use for the test.
- Log in with another Kerberos account.
- Confirm that the second account is default with
klist
. - Attempt to login to a service using the first credential and GSSAPI. The easiest way to do this is probably to go to a Kerberos protected website using your browser (assming it is properly configured for GSSAPI).
- Before the patch, automatic login should fail. Afterwards, it shouldn’t.
Enjoy!