Authenticating to Kerberos

D

David

Hi,

I've had a quick look but cannot find a module that will let me authenticate
against Kerberos. There appears to be a krb5 module that hasn't been
updated for a long time and I can't find much on it except the pages at
starship.python.net.

I don't need to do anything except authenticate and gain the correct
credentials.

Are there any modules that I could use to authenticate against Kerberos
(perhaps there is another module will do just the auth, e.g. for LDAP?).

Cheers.
 
?

=?ISO-8859-1?Q?=22Martin_v=2E_L=F6wis=22?=

David said:
I don't need to do anything except authenticate and gain the correct
credentials.

I normally run kinit(1) to determine whether a password is correct.

Regards,
Martin
 
?

=?ISO-8859-1?Q?Michael_Str=F6der?=

David said:
Are there any modules that I could use to authenticate against Kerberos
(perhaps there is another module will do just the auth, e.g. for LDAP?).

If you already have a TGT (after kinit) you can use python-ldap (built
with OpenLDAP, cyrus-sasl and heimdal or MIT libs) to authenticate
against an LDAP server with SASL bind and SASL mech GSSAPI. But that's
probably not what you're after.

If you provide more information about your KDC and infrastructure there
might be a solution:
With some tightly integrated configurations a LDAP simple bind against
an LDAP server checks the same "password" as the Kerberos Domain
Controller (e.g. MS AD or heimdal KDC with OpenLDAP backend).

Ciao, Michael.
 
D

Donn Cave

I normally run kinit(1) to determine whether a password is correct.

There's a weakness to that, though. If you're authenticating
a secure service on the Internet, you should do something to
verify that the resulting credentials are in fact valid - that
they can be used in Kerberos authentication. Normally, this
is done with krb5_verify_init_creds(), where the caller uses
the TGT to get a host service ticket, but I guess you could
use GSS ftp or something, anything that uses the TGT.

Otherwise, an attacker can pose as the KDC while logging in,
and give you a TGT regardless of what password was typed in.
Of course such a TGT won't work.

Donn Cave, (e-mail address removed)
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,484
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top