gssapi / gssproxy

A proxy for GSSAPI | Docs at https://github.com/gssapi/gssproxy/tree/main/docs
Other
44 stars 28 forks source link

Kerberos authentication does not work on sso.redhat.com in Epiphany flatpak #107

Open mcatanzaro opened 1 month ago

mcatanzaro commented 1 month ago

It's not possible for Red Hat employees to use Kerberos authentication on sso.redhat.com when using Epiphany from Flathub or Epiphany Tech Preview. We don't know why.

I think the problem is somehow related to gssproxy because if we bypass it by opening a sandbox hole to use the host Kerberos service, then the authentication works properly. Here is a test patch:

From fd0bc8c254be63d297b705afb9b37680595fe031 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Florian=20M=C3=BCllner?= <fmuellner@gnome.org>
Date: Fri, 18 Oct 2024 16:35:04 +0200
Subject: [PATCH] krb

---
 krb5.conf               |  9 +++++++++
 org.gnome.Epiphany.json | 30 ++++++++++++++++++++++++++++++
 2 files changed, 39 insertions(+)
 create mode 100644 krb5.conf

diff --git a/krb5.conf b/krb5.conf
new file mode 100644
index 0000000..62f2d53
--- /dev/null
+++ b/krb5.conf
@@ -0,0 +1,9 @@
+[libdefaults]
+    dns_lookup_realm = false
+    ticket_lifetime = 24h
+    renew_lifetime = 7d
+    forwardable = true
+    rdns = false
+    pkinit_anchors = FILE:/etc/ssl/certs/ca-certificates.crt
+    spake_preauth_groups = edwards25519
+    default_ccache_name = KCM:
diff --git a/org.gnome.Epiphany.json b/org.gnome.Epiphany.json
index c9a0751..9a7dc3c 100644
--- a/org.gnome.Epiphany.json
+++ b/org.gnome.Epiphany.json
@@ -7,6 +7,7 @@
     "finish-args": [
         "--device=dri",
         "--filesystem=xdg-download",
+        "--filesystem=/run/.heim_org.h5l.kcm-socket",
         "--share=ipc",
         "--share=network",
         "--socket=fallback-x11",
@@ -121,6 +122,35 @@
                 }
             ]
         },
+        {
+            "name" : "kerberos",
+            "subdir" : "src",
+            "config-opts" : [
+                "--localstatedir=/var/lib",
+                "--sbindir=${FLATPAK_DEST}/bin",
+                "--disable-rpath",
+                "--disable-static"
+            ],
+            "sources" : [
+                {
+                    "type": "archive",
+                    "url" : "https://kerberos.org/dist/krb5/1.21/krb5-1.21.tar.gz",
+                    "sha256" : "69f8aaff85484832df67a4bbacd99b9259bd95aab8c651fbbe65cdc9620ea93b"
+                },
+                {
+                    "type" : "file",
+                    "path" : "krb5.conf"
+                }
+            ],
+            "cleanup" : [
+                "/bin",
+                "/share/et",
+                "/share/examples"
+            ],
+            "post-install" : [
+                "install -Dm644 ../krb5.conf -t ${FLATPAK_DEST}/etc/"
+            ]
+        },
         {
             "name": "libportal",
             "buildsystem": "meson",
-- 
2.47.0