Kerberos and IP aliases
Mark Davies
mark at mcs.vuw.ac.nz
Mon Sep 10 23:02:38 EDT 2007
Russ Allbery wrote:
> In some cases the client will just use whatever hostname is given on
> the command line, but in many cases it will do a forward and reverse
> DNS lookup to canonicalize the hostname (although this is less
> secure if you can't trust DNS, and most people can't). So in
> practice the server needs to have a key for all identities that
> might result from either of those approaches.
Is there a way to have modauthkerb able to accept multiple identities
for a single web site? I couldn't see an obvious way to configure it.
We used to have this setup:
www.mcs.vuw.ac.nz cname for p.mcs.vuw.ac.nz
p.mcs.vuw.ac.nz A A.B.C.D
D.C.B.A.in-addr.arpa ptr p.mcs.vuw.ac.nz
web site always referenced as www.mcs.vuw.ac.nz. server had key for
HTTP/p.mcs.vuw.ac.nz
This worked fine for firefox on windows, mac and unix
konqueror on unix and IE on windows but Safari on mac would try
HTTP/www.mcs.vuw.ac.nz and so fail.
In an attempt to get Safari working I changed the www.mcs.vuw.ac.nz
cname entry to an A record for A.B.C.D and changed the web server to
have a key for HTTP/www.mcs.vuw.ac.nz. Safari now works, IE and
konqueror continue to work as does Firefox on Windows and UNIX but
Firefox on Mac now fails (it tries to use the principle
HTTP/p.mcs.vuw.ac.nz). I don't understand why firefox's dns lookup
behaviour is platform specific.
cheers
mark
More information about the Kerberos
mailing list