libapache2-mod-auth-kerb and multi-homed hosts
Russ Allbery
eagle at eyrie.org
Tue Aug 12 11:56:03 EDT 2014
Jaap Winius <jwinius at umrk.nl> writes:
> Until recently, using ssh with Kerberos authentication to connect to
> these same hosts was also a problem, until I set GSSAPIStrictAcceptorCheck
> to 'off' in sshd_config and added lots of host keys to the system keytab
> to match the reverse lookup names of the machine's various interfaces.
> Can the same thing somehow be achieved with libapache2-mod-auth-kerb
> v5.4-2 (for Debian wheezy),
Yes, but I'm confused because you're already doing what you should do in
order to support this.
> Right now my configuration looks like:
> AuthType Kerberos
> KrbAuthRealms EXAMPLE.COM
> KrbServiceName Any
> Krb5Keytab /etc/apache2/krb5-apache.keytab
> KrbLocalUserMapping On
> AuthName "Example login"
KrbServiceName Any is the key setting. This works for us.
> Like with the ssh solution, I've added http keys to this keytab to match
> all of the machine's interfaces, but in this case the result is still
> negative.
Make sure that you added HTTP keys (all caps), not lowercase http. The
case matters.
Also, different browsers want different things here. Some browers want
keys that match the hostname in the URL that the user typed. Other
browsers want keys that match the hostname resulting from forward and
reverse DNS resolution of that hostname. So you need to add both.
--
Russ Allbery (eagle at eyrie.org) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list