Kerberos and IP aliases

Russ Allbery rra at stanford.edu
Mon Sep 10 23:11:42 EDT 2007


Mark Davies <mark at mcs.vuw.ac.nz> writes:
> Russ Allbery wrote:

>> In some cases the client will just use whatever hostname is given on
>> the command line, but in many cases it will do a forward and reverse
>> DNS lookup to canonicalize the hostname (although this is less secure
>> if you can't trust DNS, and most people can't).  So in practice the
>> server needs to have a key for all identities that might result from
>> either of those approaches.

> Is there a way to have modauthkerb able to accept multiple identities 
> for a single web site? I couldn't see an obvious way to configure it.

I patched mod_auth_kerb a long time back to do this and thought that patch
was incorporated into the upstream source, but apparently it wasn't.  You
have to patch it to not explicitly import credentials and instead let the
GSS-API library figure out what server credentials to use.

> This worked fine for firefox on windows, mac and unix
> konqueror on unix and IE on windows but Safari on mac would try 
> HTTP/www.mcs.vuw.ac.nz and so fail.

Yup, Safari uses a different algorithm than the other browsers.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the Kerberos mailing list