libapache2-mod-auth-kerb and multi-homed hosts

Jaap Winius jwinius at umrk.nl
Tue Aug 12 10:20:08 EDT 2014


Hi folks,

My site has a number of multi-homed Apache web servers for which I can't 
get Kerberos authentication to work properly.

Until recently, using ssh with Kerberos authentication to connect to 
these same hosts was also a problem, until I set GSSAPIStrictAcceptorCheck 
to 'off' in sshd_config and added lots of host keys to the system keytab 
to match the reverse lookup names of the machine's various interfaces.

Can the same thing somehow be achieved with libapache2-mod-auth-kerb 
v5.4-2 (for Debian wheezy), or should I submit a feature-request?

Right now my configuration looks like:

  AuthType Kerberos
  KrbAuthRealms EXAMPLE.COM
  KrbServiceName Any
  Krb5Keytab /etc/apache2/krb5-apache.keytab
  KrbLocalUserMapping On
  AuthName "Example login"

Like with the ssh solution, I've added http keys to this keytab to match 
all of the machine's interfaces, but in this case the result is still 
negative.

Any ideas?

Thanks,

Jaap



More information about the Kerberos mailing list