[GH-ISSUE #5492] support for Kerberos/GSSAPI (e.g. browser SPNEGO) #3017

New issue

Open

opened 2026-05-05 09:40:08 -06:00 by gitea-mirror · 16 comments

gitea-mirror commented 2026-05-05 09:40:08 -06:00

Owner

Copy link

Originally created by @loveshack on GitHub (Nov 30, 2022).
Original GitHub issue: https://github.com/netblue30/firejail/issues/5492

This enables Kerberos authentication, e.g. SPNEGO in browsers. It will presumably also work for other things with Kerberos/GSSAPI authN like ssh (which I can't easily test currently). Most probably won't need /etc/gss, though. The KCM socket location might be configured differently from the default below with sssd-kcm.

I've tested some combinations of packaged Firefox and Brave using FILE: and KCM credential caches, under packaged Firejail v0.9.70 in Debian and RHEL 8. KEYRING doesn't work, but isn't advised anyhow as it's not namespaced.

# gssapi (with FILE: or KCM: ccache, but not KEYRING:):
whitelist /etc/krb5*
# FILE:
whitelist /tmp/krb5cc_*
# KCM:
whitelist /var/run/.heim_org.h5l.kcm-socket
# Debian
whitelist /etc/ssl
# Fedora
whitelist /etc/pki
# (Not needed for the Kerberos mechanism)
whitelist /etc/gss
# end gssapi

Originally created by @loveshack on GitHub (Nov 30, 2022). Original GitHub issue: https://github.com/netblue30/firejail/issues/5492 This enables Kerberos authentication, e.g. SPNEGO in browsers. It will presumably also work for other things with Kerberos/GSSAPI authN like ssh (which I can't easily test currently). Most probably won't need /etc/gss, though. The KCM socket location might be configured differently from the default below with sssd-kcm. I've tested some combinations of packaged Firefox and Brave using FILE: and KCM credential caches, under packaged Firejail v0.9.70 in Debian and RHEL 8. KEYRING doesn't work, but isn't advised anyhow as it's not namespaced. ``` # gssapi (with FILE: or KCM: ccache, but not KEYRING:): whitelist /etc/krb5* # FILE: whitelist /tmp/krb5cc_* # KCM: whitelist /var/run/.heim_org.h5l.kcm-socket # Debian whitelist /etc/ssl # Fedora whitelist /etc/pki # (Not needed for the Kerberos mechanism) whitelist /etc/gss # end gssapi ```

gitea-mirror commented 2026-05-05 09:40:09 -06:00

Author

Owner

Copy link

@Thulium-Drake commented on GitHub (May 22, 2023):

I had to it slightly differently on my Debian system (I also had to configure SSSD to use KCM as Debian by default does KEYRING), but I ran into klist: Included profile directory could not be read while initializing krb5 errors

Adding the line below fixed that:

whitelist /var/lib/sss/pubconf/krb5.include.d/

<!-- gh-comment-id:1557502015 --> @Thulium-Drake commented on GitHub (May 22, 2023): I had to it slightly differently on my Debian system (I also had to configure SSSD to use KCM as Debian by default does KEYRING), but I ran into ```klist: Included profile directory could not be read while initializing krb5``` errors Adding the line below fixed that: ``` whitelist /var/lib/sss/pubconf/krb5.include.d/ ```

gitea-mirror commented 2026-05-05 09:40:11 -06:00

Author

Owner

Copy link

@loveshack commented on GitHub (May 24, 2023):

I had to it slightly differently on my Debian system (I also had to
configure SSSD to use KCM as Debian by default does KEYRING),

It's FILE: for me when krb5-user creates krb5.conf on Debian 11, but no
matter.

but I
ran into klist: Included profile directory could not be read while initializing krb5 errors

Adding the line below fixed that:

whitelist /var/lib/sss/pubconf/krb5.include.d/

Ah, thanks. I just have pam_krb5, and that doesn't exist.

<!-- gh-comment-id:1561347678 --> @loveshack commented on GitHub (May 24, 2023): > I had to it slightly differently on my Debian system (I also had to > configure SSSD to use KCM as Debian by default does KEYRING), It's FILE: for me when krb5-user creates krb5.conf on Debian 11, but no matter. > but I > ran into ```klist: Included profile directory could not be read while > initializing krb5``` errors > > Adding the line below fixed that: > ``` > whitelist /var/lib/sss/pubconf/krb5.include.d/ > ``` Ah, thanks. I just have pam_krb5, and that doesn't exist.

gitea-mirror commented 2026-05-05 09:40:12 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (May 31, 2023):

This is not working for me at least. DO you have a full example? Where are you dropping the overrides? Debian based distribution.

<!-- gh-comment-id:1570907537 --> @ghost commented on GitHub (May 31, 2023): This is not working for me at least. DO you have a full example? Where are you dropping the overrides? Debian based distribution.

gitea-mirror commented 2026-05-05 09:40:13 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (May 31, 2023):

KEYRING: is actually needed by the way. I don't know in which cases FILE or KCM would ever be a good idea or even found in real-world deployments.

(I am aware of https://docs.pagure.org/sssd.sssd/design_pages/kcm.html and I still think the benefits of KCM are debatable in practice)

<!-- gh-comment-id:1570909290 --> @ghost commented on GitHub (May 31, 2023): KEYRING: is actually needed by the way. I don't know in which cases FILE or KCM would ever be a good idea or even found in real-world deployments. (I am aware of https://docs.pagure.org/sssd.sssd/design_pages/kcm.html and I still think the benefits of KCM are debatable in practice)

gitea-mirror commented 2026-05-05 09:40:14 -06:00

Author

Owner

Copy link

@Thulium-Drake commented on GitHub (Jun 1, 2023):

I use KCM becuase of one reason mostly, it's the default config in RHEL8+ and it works better in a namespaced environment (podman etc.).

What I did on my machine:

• Install SSSD-KCM

apt install sssd-kcm

• Create /etc/krb5.conf.d/kcm_default_ccache:

[libdefaults]
default_ccache_name = KCM:

• Reboot (to make sure nothing runs anymore that could cache my credentials)
• Log in, check my tickets

$ klist
Ticket cache: KCM:123456:123456
Default principal: me@EXAMPLE.NET

Valid starting       Expires              Service principal
2023-06-01 16:42:43  2023-06-02 16:19:32  krbtgt/EXAMPLE.NET@EXAMPLE.NET
	renew until 2023-06-08 16:42:43

• Configure a profile for Firefox

name firefox

# Allow access to sockets for Keepass browser integration
noblacklist ${RUNUSER}/app
mkdir ${RUNUSER}/app/org.keepassxc.KeePassXC
whitelist ${RUNUSER}/app/org.keepassxc.KeePassXC

# Allow Kerberos ticket access for SSO
whitelist /var/lib/sss/pubconf/krb5.include.d/
noblacklist /run/.heim_org.h5l.kcm-socket
whitelist /run/.heim_org.h5l.kcm-socket

include /home/me/firejails/filesystems.inc  # Some basic blacklists for my private data, see below
include /etc/firejail/firefox.profile

• Optional extra profile for filesystems I want to protect/allow

noblacklist ${HOME}/.pulse
whitelist ${HOME}/.pulse

blacklist /data
blacklist /mnt

<!-- gh-comment-id:1572234233 --> @Thulium-Drake commented on GitHub (Jun 1, 2023): I use KCM becuase of one reason mostly, it's the default config in RHEL8+ and it works better in a namespaced environment (podman etc.). What I did on my machine: - Install SSSD-KCM ``` apt install sssd-kcm ``` - Create ```/etc/krb5.conf.d/kcm_default_ccache```: ``` [libdefaults] default_ccache_name = KCM: ``` - Reboot (to make sure nothing runs anymore that could cache my credentials) - Log in, check my tickets ``` $ klist Ticket cache: KCM:123456:123456 Default principal: me@EXAMPLE.NET Valid starting Expires Service principal 2023-06-01 16:42:43 2023-06-02 16:19:32 krbtgt/EXAMPLE.NET@EXAMPLE.NET renew until 2023-06-08 16:42:43 ``` - Configure a profile for Firefox ``` name firefox # Allow access to sockets for Keepass browser integration noblacklist ${RUNUSER}/app mkdir ${RUNUSER}/app/org.keepassxc.KeePassXC whitelist ${RUNUSER}/app/org.keepassxc.KeePassXC # Allow Kerberos ticket access for SSO whitelist /var/lib/sss/pubconf/krb5.include.d/ noblacklist /run/.heim_org.h5l.kcm-socket whitelist /run/.heim_org.h5l.kcm-socket include /home/me/firejails/filesystems.inc # Some basic blacklists for my private data, see below include /etc/firejail/firefox.profile ``` - Optional extra profile for filesystems I want to protect/allow ``` noblacklist ${HOME}/.pulse whitelist ${HOME}/.pulse blacklist /data blacklist /mnt ```

gitea-mirror commented 2026-05-05 09:40:15 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Jun 1, 2023):

@Thulium-Drake How are you managing the profile? ex. what is the preferred destination for local mods. I have been partial to using /etc/firejail/*.local but the way overrides work don't seem well documented. For example using whitelist directives seems to break the parent profile for me.

I'm not keen on using KCM as a rule of thumb only because of the implications of having a file on disk. This introduces other security risks, since the KEYRING subsystem is very easy to control as it is accessible only via keyctl (system calls). With the current climate of Spectre-type issues and the attack surface of drive firmware (ex. SSDs), plus the entire IO layer of the kernel, once the credentials/token hit the disk they become easier to target. Of course KEYRING is not free of issues (any kernel exploit would yield access) but it does limit things to a single point of failure, which in this case, is a good thing.

I nonetheless configured a test system for KCM while I figure out how to adjust seccomp in the profile to be able to do keyctl calls. Testing on Ubuntu "jammy".

<!-- gh-comment-id:1572407878 --> @ghost commented on GitHub (Jun 1, 2023): @Thulium-Drake How are you managing the profile? ex. what is the preferred destination for local mods. I have been partial to using /etc/firejail/*.local but the way overrides work don't seem well documented. For example using whitelist directives seems to break the parent profile for me. I'm not keen on using KCM as a rule of thumb only because of the implications of having a file on disk. This introduces other security risks, since the KEYRING subsystem is very easy to control as it is accessible only via keyctl (system calls). With the current climate of Spectre-type issues and the attack surface of drive firmware (ex. SSDs), plus the entire IO layer of the kernel, once the credentials/token hit the disk they become easier to target. Of course KEYRING is not free of issues (any kernel exploit would yield access) but it does limit things to a single point of failure, which in this case, is a good thing. I nonetheless configured a test system for KCM while I figure out how to adjust seccomp in the profile to be able to do keyctl calls. Testing on Ubuntu "jammy".

gitea-mirror commented 2026-05-05 09:40:16 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Jun 1, 2023):

@vogelfreiheit

How are you managing the profile? ex. what is the preferred destination for local mods. I have been partial to using /etc/firejail/*.local but the way overrides work don't seem well documented. For example using whitelist directives seems to break the parent profile for me.

You can find detailed info on our wiki pages: Creating overrides. The include logic can become somewhat complex and extra attention should be payed as to which local override is suited for overriding any of the included .inc files. I don't want to hijack your exchange with @Thulium-Drake but it would help if you could provide an example of your experienced breakage. Just my 2 cents :)

<!-- gh-comment-id:1572483830 --> @ghost commented on GitHub (Jun 1, 2023): @vogelfreiheit > How are you managing the profile? ex. what is the preferred destination for local mods. I have been partial to using /etc/firejail/*.local but the way overrides work don't seem well documented. For example using whitelist directives seems to break the parent profile for me. You can find detailed info on our wiki pages: [Creating overrides](https://github.com/netblue30/firejail/wiki/Creating-overrides). The include logic can become somewhat complex and extra attention should be payed as to which local override is suited for overriding any of the included .inc files. I don't want to hijack your exchange with @Thulium-Drake but it would help if you could provide an example of your experienced breakage. Just my 2 cents :)

gitea-mirror commented 2026-05-05 09:40:17 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Jun 1, 2023):

@glitsj16 Absolutely no hijacking taken, feel free to contribute. I just read the whitelist nuances, thanks. That makes sense now.

This is what I am testing in a VM in a client-IPA server configuration:

ignore private-dev

noblacklist /etc/krb5.conf.d
noblacklist /var/lib/sss/pubconf/krb5.include.d/
noblacklist /proc/keys
noblacklist /etc/krb5.conf
noblacklist /etc/krb5.conf.d/

# Allow access to sockets for Keepass browser integration
noblacklist ${RUNUSER}/app
mkdir ${RUNUSER}/app/org.keepassxc.KeePassXC
whitelist ${RUNUSER}/app/org.keepassxc.KeePassXC

# Allow Kerberos ticket access for SSO
whitelist /var/lib/sss/pubconf/krb5.include.d/
noblacklist /run/.heim_org.h5l.kcm-socket
whitelist /run/.heim_org.h5l.kcm-socket

seccomp !keyctl

(for firefox.local in /etc/firejail)

No dice.

<!-- gh-comment-id:1572544390 --> @ghost commented on GitHub (Jun 1, 2023): @glitsj16 Absolutely no hijacking taken, feel free to contribute. I just read the whitelist nuances, thanks. That makes sense now. This is what I am testing in a VM in a client-IPA server configuration: ``` ignore private-dev noblacklist /etc/krb5.conf.d noblacklist /var/lib/sss/pubconf/krb5.include.d/ noblacklist /proc/keys noblacklist /etc/krb5.conf noblacklist /etc/krb5.conf.d/ # Allow access to sockets for Keepass browser integration noblacklist ${RUNUSER}/app mkdir ${RUNUSER}/app/org.keepassxc.KeePassXC whitelist ${RUNUSER}/app/org.keepassxc.KeePassXC # Allow Kerberos ticket access for SSO whitelist /var/lib/sss/pubconf/krb5.include.d/ noblacklist /run/.heim_org.h5l.kcm-socket whitelist /run/.heim_org.h5l.kcm-socket seccomp !keyctl ``` (for firefox.local in /etc/firejail) No dice.

gitea-mirror commented 2026-05-05 09:40:17 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Jun 1, 2023):

@glitsj16 Absolutely no hijacking taken, feel free to contribute. I just read the whitelist nuances, thanks. That makes sense now.

This is what I am testing in a VM in a client-IPA server configuration:

ignore private-dev

noblacklist /etc/krb5.conf.d
noblacklist /var/lib/sss/pubconf/krb5.include.d/
noblacklist /proc/keys
noblacklist /etc/krb5.conf
noblacklist /etc/krb5.conf.d/

# Allow access to sockets for Keepass browser integration
noblacklist ${RUNUSER}/app
mkdir ${RUNUSER}/app/org.keepassxc.KeePassXC
whitelist ${RUNUSER}/app/org.keepassxc.KeePassXC

# Allow Kerberos ticket access for SSO
whitelist /var/lib/sss/pubconf/krb5.include.d/
noblacklist /run/.heim_org.h5l.kcm-socket
whitelist /run/.heim_org.h5l.kcm-socket

seccomp !keyctl

(for firefox.local in /etc/firejail)

No dice.

<!-- gh-comment-id:1572558875 --> @ghost commented on GitHub (Jun 1, 2023): @glitsj16 Absolutely no hijacking taken, feel free to contribute. I just read the whitelist nuances, thanks. That makes sense now. This is what I am testing in a VM in a client-IPA server configuration: ``` ignore private-dev noblacklist /etc/krb5.conf.d noblacklist /var/lib/sss/pubconf/krb5.include.d/ noblacklist /proc/keys noblacklist /etc/krb5.conf noblacklist /etc/krb5.conf.d/ # Allow access to sockets for Keepass browser integration noblacklist ${RUNUSER}/app mkdir ${RUNUSER}/app/org.keepassxc.KeePassXC whitelist ${RUNUSER}/app/org.keepassxc.KeePassXC # Allow Kerberos ticket access for SSO whitelist /var/lib/sss/pubconf/krb5.include.d/ noblacklist /run/.heim_org.h5l.kcm-socket whitelist /run/.heim_org.h5l.kcm-socket seccomp !keyctl ``` (for firefox.local in /etc/firejail) No dice.

gitea-mirror commented 2026-05-05 09:40:18 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Jun 1, 2023):

Also: KCM will break NFS it seems.

<!-- gh-comment-id:1572629086 --> @ghost commented on GitHub (Jun 1, 2023): Also: KCM will break NFS it seems.

gitea-mirror commented 2026-05-05 09:40:18 -06:00

Author

Owner

Copy link

@Thulium-Drake commented on GitHub (Jun 1, 2023):

I have a git repo in my homedir which houses all my profiles. I wrote the following script, which will check if I have a custom profile for a specific app, if not, it 'just' starts with the default profile from /etc/firejail

#!/bin/bash
# Check if we have a profile for the started application, then run it

CMD=$1
shift
CMD_ARGS=$@
CMD_BIN=$(which $CMD)
FJ_BIN=$(which firejail)

CUSTOM_FIREJAILS=$HOME/firejails
DEFAULT_FIREJAILS=/etc/firejail
PROFILE=false
DEFAULT_PROFILE=false

if [[ -f $CUSTOM_FIREJAILS/${CMD}.profile ]]
then
  PROFILE=true
elif [[ -f $DEFAULT_FIREJAILS/${CMD}.profile ]]
then
  DEFAULT_PROFILE=true
fi

if $PROFILE
then
  $FJ_BIN --profile=$CUSTOM_FIREJAILS/$CMD.profile $CMD_BIN $CMD_ARGS
elif $DEFAULT_PROFILE
then
  zenity --warning --text 'No firejail custom profile detected, using default' --width=300 --timeout=5 &
  $FJ_BIN --profile=$DEFAULT_FIREJAILS/$CMD.profile $CMD_BIN $CMD_ARGS
fi

With this in place, i run /home/me/firejails/fjwrapper firefox to start Firefox

It may be a bit rought around the edges, but it works pretty well :-)

<!-- gh-comment-id:1572801009 --> @Thulium-Drake commented on GitHub (Jun 1, 2023): I have a git repo in my homedir which houses all my profiles. I wrote the following script, which will check if I have a custom profile for a specific app, if not, it 'just' starts with the default profile from ```/etc/firejail``` ``` #!/bin/bash # Check if we have a profile for the started application, then run it CMD=$1 shift CMD_ARGS=$@ CMD_BIN=$(which $CMD) FJ_BIN=$(which firejail) CUSTOM_FIREJAILS=$HOME/firejails DEFAULT_FIREJAILS=/etc/firejail PROFILE=false DEFAULT_PROFILE=false if [[ -f $CUSTOM_FIREJAILS/${CMD}.profile ]] then PROFILE=true elif [[ -f $DEFAULT_FIREJAILS/${CMD}.profile ]] then DEFAULT_PROFILE=true fi if $PROFILE then $FJ_BIN --profile=$CUSTOM_FIREJAILS/$CMD.profile $CMD_BIN $CMD_ARGS elif $DEFAULT_PROFILE then zenity --warning --text 'No firejail custom profile detected, using default' --width=300 --timeout=5 & $FJ_BIN --profile=$DEFAULT_FIREJAILS/$CMD.profile $CMD_BIN $CMD_ARGS fi ``` With this in place, i run ```/home/me/firejails/fjwrapper firefox``` to start Firefox It may be a bit rought around the edges, but it works pretty well :-)

gitea-mirror commented 2026-05-05 09:40:19 -06:00

Author

Owner

Copy link

@loveshack commented on GitHub (Jun 2, 2023):

This clearly isn't the place for argument and support of Kerberos
applications generally.

If you really need this as an include fragment, with a suggestion for
debugging, see
https://fx.srht.site/posts/2022-05-13-spnego.html#sandboxes-like-firejail
I don't know if the Kerberos trace will help if you want to add KEYRING
support, but I guess other applications with profiles use the Linux
keyring. Obviously do follow up with any success at that.

<!-- gh-comment-id:1573456956 --> @loveshack commented on GitHub (Jun 2, 2023): This clearly isn't the place for argument and support of Kerberos applications generally. If you really need this as an include fragment, with a suggestion for debugging, see https://fx.srht.site/posts/2022-05-13-spnego.html#sandboxes-like-firejail I don't know if the Kerberos trace will help if you want to add KEYRING support, but I guess other applications with profiles use the Linux keyring. Obviously do follow up with any success at that.

gitea-mirror commented 2026-05-05 09:40:19 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Jun 2, 2023):

I'm not familiar with Kerberos/GSSAPI but I wanted to make some general comments on some of the profile options mentioned in this thread.

Using noblacklist foo only makes sense for items that have blacklist foo in other relevant profile files. This probably sounds pedantic, but it can really help keeping things less convulated/overly-complex. For example, these items are not blacklisted anywhere AFAICT and their noblacklist lines can be dropped:

/etc/krb5.conf
/etc/krb5.conf.d
/etc/krb5.conf.d/
/var/lib/sss/pubconf/krb5.include.d/

About whitelisting /etc/foo. For Firefox we enable private-etc in firefox-common.inc. IMO any additional items needed from /etc for this Kerberos/GSSAPI issue should be added to private-etc (instead of needing to be whitelisted).

Another remark relates to how support for KeePassXC is enabled here.

# Allow access to sockets for Keepass browser integration
noblacklist ${RUNUSER}/app
mkdir ${RUNUSER}/app/org.keepassxc.KeePassXC
whitelist ${RUNUSER}/app/org.keepassxc.KeePassXC

Compare this with 30ff544b8f/etc/profile-a-l/firefox.profile?#L32-L35

<!-- gh-comment-id:1573492470 --> @ghost commented on GitHub (Jun 2, 2023): I'm not familiar with Kerberos/GSSAPI but I wanted to make some general comments on some of the profile options mentioned in this thread. Using `noblacklist foo` only makes sense for items that have `blacklist foo` in other relevant profile files. This probably sounds pedantic, but it can really help keeping things less convulated/overly-complex. For example, these items are not blacklisted anywhere AFAICT and their noblacklist lines can be dropped: ``` /etc/krb5.conf /etc/krb5.conf.d /etc/krb5.conf.d/ /var/lib/sss/pubconf/krb5.include.d/ ``` About `whitelisting /etc/foo`. For Firefox we enable `private-etc` in firefox-common.inc. IMO any additional items needed from /etc for this Kerberos/GSSAPI issue should be added to private-etc (instead of needing to be whitelisted). Another remark relates to how `support for KeePassXC` is enabled here. > \# Allow access to sockets for Keepass browser integration noblacklist ${RUNUSER}/app mkdir ${RUNUSER}/app/org.keepassxc.KeePassXC whitelist ${RUNUSER}/app/org.keepassxc.KeePassXC Compare this with https://github.com/netblue30/firejail/blob/30ff544b8fc4362d51d10d28d633600d5e714ae4/etc/profile-a-l/firefox.profile?#L32-L35

gitea-mirror commented 2026-05-05 09:40:20 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jun 2, 2023):

@glitsj16 https://github.com/netblue30/firejail/discussions/5444#discussioncomment-4039950

<!-- gh-comment-id:1573933636 --> @rusty-snake commented on GitHub (Jun 2, 2023): @glitsj16 https://github.com/netblue30/firejail/discussions/5444#discussioncomment-4039950

gitea-mirror commented 2026-05-05 09:40:20 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Jun 2, 2023):

This clearly isn't the place for argument and support of Kerberos applications generally. If you really need this as an include fragment, with a suggestion for debugging, see https://fx.srht.site/posts/2022-05-13-spnego.html#sandboxes-like-firejail I don't know if the Kerberos trace will help if you want to add KEYRING support, but I guess other applications with profiles use the Linux keyring. Obviously do follow up with any success at that.

This is not a discussion about "Kerberos applications generally", this is a discussion of firejail breaking SPNEGO/Kerberos and KEYRING access, which are ubiquitous in many environments. Perhaps not the home Linux or hobbyist user, but everywhere else including education and enterprise they most definitely are.

There is a very valid argument to be made about including a boolean or similar option to explicitly support auth negotiation in all profiles.

<!-- gh-comment-id:1573945339 --> @ghost commented on GitHub (Jun 2, 2023): > This clearly isn't the place for argument and support of Kerberos applications generally. If you really need this as an include fragment, with a suggestion for debugging, see https://fx.srht.site/posts/2022-05-13-spnego.html#sandboxes-like-firejail I don't know if the Kerberos trace will help if you want to add KEYRING support, but I guess other applications with profiles use the Linux keyring. Obviously do follow up with any success at that. This is not a discussion about "Kerberos applications generally", this is a discussion of firejail breaking SPNEGO/Kerberos and KEYRING access, which are ubiquitous in many environments. Perhaps not the home Linux or hobbyist user, but everywhere else including education and enterprise they most definitely are. There is a very valid argument to be made about including a boolean or similar option to explicitly support auth negotiation in all profiles.

gitea-mirror commented 2026-05-05 09:40:20 -06:00

Author

Owner

Copy link

@loveshack commented on GitHub (Oct 13, 2025):

The configuration I was using in Debian 12 no longer works with firefox in Debian 13. I'll try to find out why.

[Regarding the previous comment, I know keyring is used, but I don't have an interest in fixing its use in firejail.]

<!-- gh-comment-id:3397974128 --> @loveshack commented on GitHub (Oct 13, 2025): The configuration I was using in Debian 12 no longer works with firefox in Debian 13. I'll try to find out why. [Regarding the previous comment, I know keyring is used, but I don't have an interest in fixing its use in firejail.]

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3017

No description provided.