Kerberos and IP aliases

Mark Davies mark at mcs.vuw.ac.nz
Mon Sep 10 23:02:38 EDT 2007


Russ Allbery wrote:
> In some cases the client will just use whatever hostname is given on
> the command line, but in many cases it will do a forward and reverse
> DNS lookup to canonicalize the hostname (although this is less
> secure if you can't trust DNS, and most people can't).  So in
> practice the server needs to have a key for all identities that
> might result from either of those approaches. 

Is there a way to have modauthkerb able to accept multiple identities 
for a single web site? I couldn't see an obvious way to configure it.

We used to have this setup:

	www.mcs.vuw.ac.nz cname for p.mcs.vuw.ac.nz
	p.mcs.vuw.ac.nz A	A.B.C.D
	D.C.B.A.in-addr.arpa	ptr p.mcs.vuw.ac.nz

web site always referenced as www.mcs.vuw.ac.nz. server had key for 
HTTP/p.mcs.vuw.ac.nz

This worked fine for firefox on windows, mac and unix
konqueror on unix and IE on windows but Safari on mac would try 
HTTP/www.mcs.vuw.ac.nz and so fail.

In an attempt to get Safari working I changed the www.mcs.vuw.ac.nz 
cname entry to an A record for A.B.C.D and changed the web server to 
have a key for HTTP/www.mcs.vuw.ac.nz.  Safari now works, IE and 
konqueror continue to work as does Firefox on Windows and UNIX but 
Firefox on Mac now fails (it tries to use the principle 
HTTP/p.mcs.vuw.ac.nz).  I don't understand why firefox's dns lookup 
behaviour is platform specific.

cheers
mark



More information about the Kerberos mailing list