[36358] in Kerberos
Re: libapache2-mod-auth-kerb and multi-homed hosts
daemon@ATHENA.MIT.EDU (Russ Allbery)
Tue Aug 12 11:59:33 2014
From: Russ Allbery <eagle@eyrie.org>
To: Jaap Winius <jwinius@umrk.nl>
In-Reply-To: <lsd7qo$tnt$1@ger.gmane.org> (Jaap Winius's message of "Tue, 12
Aug 2014 14:20:08 +0000 (UTC)")
Date: Tue, 12 Aug 2014 08:56:03 -0700
Message-ID: <877g2dln1o.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Jaap Winius <jwinius@umrk.nl> writes:
> Until recently, using ssh with Kerberos authentication to connect to
> these same hosts was also a problem, until I set GSSAPIStrictAcceptorCheck
> to 'off' in sshd_config and added lots of host keys to the system keytab
> to match the reverse lookup names of the machine's various interfaces.
> Can the same thing somehow be achieved with libapache2-mod-auth-kerb
> v5.4-2 (for Debian wheezy),
Yes, but I'm confused because you're already doing what you should do in
order to support this.
> Right now my configuration looks like:
> AuthType Kerberos
> KrbAuthRealms EXAMPLE.COM
> KrbServiceName Any
> Krb5Keytab /etc/apache2/krb5-apache.keytab
> KrbLocalUserMapping On
> AuthName "Example login"
KrbServiceName Any is the key setting. This works for us.
> Like with the ssh solution, I've added http keys to this keytab to match
> all of the machine's interfaces, but in this case the result is still
> negative.
Make sure that you added HTTP keys (all caps), not lowercase http. The
case matters.
Also, different browsers want different things here. Some browers want
keys that match the hostname in the URL that the user typed. Other
browsers want keys that match the hostname resulting from forward and
reverse DNS resolution of that hostname. So you need to add both.
--
Russ Allbery (eagle@eyrie.org) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
