[28394] in Kerberos
Re: Kerberos and IP aliases
daemon@ATHENA.MIT.EDU (Russ Allbery)
Mon Sep 10 23:12:12 2007
From: Russ Allbery <rra@stanford.edu>
To: Mark Davies <mark@mcs.vuw.ac.nz>
In-Reply-To: <200709111502.38167.mark@mcs.vuw.ac.nz> (Mark Davies's message of
"Tue, 11 Sep 2007 15:02:38 +1200")
Date: Mon, 10 Sep 2007 20:11:42 -0700
Message-ID: <87d4wpew0h.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Mark Davies <mark@mcs.vuw.ac.nz> writes:
> Russ Allbery wrote:
>> In some cases the client will just use whatever hostname is given on
>> the command line, but in many cases it will do a forward and reverse
>> DNS lookup to canonicalize the hostname (although this is less secure
>> if you can't trust DNS, and most people can't). So in practice the
>> server needs to have a key for all identities that might result from
>> either of those approaches.
> Is there a way to have modauthkerb able to accept multiple identities
> for a single web site? I couldn't see an obvious way to configure it.
I patched mod_auth_kerb a long time back to do this and thought that patch
was incorporated into the upstream source, but apparently it wasn't. You
have to patch it to not explicitly import credentials and instead let the
GSS-API library figure out what server credentials to use.
> This worked fine for firefox on windows, mac and unix
> konqueror on unix and IE on windows but Safari on mac would try
> HTTP/www.mcs.vuw.ac.nz and so fail.
Yup, Safari uses a different algorithm than the other browsers.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos