Using Kerberos Authentication with Tiny Tiny RSS


Now that I’ve started rolling out Kerberized services across my network, I suddenly (or not so suddenly) want everything to be Kerberized; and not just my network services - my car, my house, Netflix - everything! Kerberizing everything is more work than I’d like to tackle so I took on Tiny Tiny RSS instead. There was one unique thing about kerberizing TT-RSS when contrasted to the other web apps on my network: I already had a unique local account in TT-RSS that I wanted to continue to make use of its preferences, subscribed feeds, published and starred articles, article history, etc.

TT-RSS Config

TT-RSS has included an “auth_remote” plugin for awhile now. Its intent is to allow Apache Basic authentication - exactly what I needed. In order to make use of auth_remote, I had to make a couple of changes to the TT-RSS config.php file:

define('ALLOW_REMOTE_USER_AUTH', true); define('AUTH_AUTO_CREATE', true); define('AUTH_AUTO_LOGIN', true); define('PLUGINS', 'auth_internal, auth_remote');


Once I got logged in to TT-RSS via my TGT, I was presented with a fresh user account. I knew the back-end for TT-RSS was MySQL so I turned my attention there to get my old profile back. First, display your users. You should see an admin account, any other local accounts, and finally your SSO account:

select * from ttrss.ttrss_users;

| 1 | admin | MODE2... | 2 | another_local_user | MODE2... | 3 | username@DOMAIN.TLD | MODE2...

What I did was simply switch the “login” username:

update ttrss.ttrss_users set login='username@DOMAIN.TLD' where id='1'; update ttrss.ttrss_users set login='admin' where id='3';

My ttrss_users table now looked like this:

| 1 | username@DOMAIN.TLD | MODE2... | 2 | another_local_user | MODE2... | 3 | admin | MODE2...

Your admin password is borked an will need to be reset but you should now be able to log in to TT-RSS with your TGT and still have your old profile.