Kerberos in snaps: Summary of the current state

Project Discussion Desktop
1

Since Snapd 2.71[0], snaps can connect to the kerberos-tickets
slot. Firefox, for example:

sudo snap connect firefox:kerberos-tickets

This will make Kerberos authentication work assuming a credentials cache
of the file type and path matching /tmp/krb5cc* (a default configuration
satisfies this condition).

=> Known limitations <=

  • FIXED [1]Denial to write session tickets to
    cache causes (potentially significantly) slower authentication. Fix scheduleded for Snapd 2.75.

  • FIXED [2]Unreadable includedir in krb5.conf causes Kerberos to bail out.

  • [3]Support a credentials cache of KEYRING type.

=> But {this snap} has no kerberos-ticket plug <=

Contact the snap maintainers and request its addition.

=> I want my credentials cache to be {arbitrary path} <=

I’m convinced security reviewers would reject that as it would imply that
any path in the system could be exposed to the snap, but you’re welcome to
open a discussion in the Snapcraft forum and link it here.

=> I found {this other limitation} <=

File a bug or, if you’re unsure, raise it here.

Cheers!

[1]Bug #2138268 “Kerberos authentication slow in Firefox (snap) and...” : Bugs : firefox package : Ubuntu
[2]Bug #2122317 “Unreadable includedir /var/lib/sss/pubconf/krb5.in...” : Bugs : chromium-browser package : Ubuntu
[3]Bug #2139666 “Kerberos authentication does not work with KEYRING...” : Bugs : firefox package : Ubuntu
[0]https://launchpad.net/bugs/1849346

2 Likes
2

Hi @nteodosio,

From re-reading through the status of each of the bugs it sounds like to resolve kerberos auth in snap-based Firefox, Chromium, and Thunderbird:

  • snapd 2.75 includes both [1] and [2] and needs to be released in 25.10? 26.04?
  • snapd 2.75 needs to be backported to 24.04 (Noble)
  • Each app needs to add the kerberos plug?
  • Users must have KRB5CCNAME in the env that each snap app reads?

Is that a correct summary of what is remaining?

3

Hi @pboushy, that is correct. Now, Snapd is usually backported to the stable releases at the same time, c.f. LP:2138629 (SRU for 2.74.1). Snapd 2.75 is already in the beta channel though, so if one doesn’t want to wait, one can do snap refresh --beta snapd.

4

there is, again, no SSO in snap firefox :

snap version

snap 2.75.2
snapd 2.75.2
series 16
ubuntu 26.04
kernel 7.0.0-15-generic
architecture amd64

does not matter whether or not I use firefox 149.x or 152.x

Of course I did connect the plug “snap connect firefox:kerberos-tickets”

5

For reference, the bug you filed: Bug #2152233 “Snap Firefox breaks SSO again in Ubuntu 26.04” : Bugs : firefox package : Ubuntu.