Authenticating to Kerberos
Donn Cave
donn at u.washington.edu
Mon Jan 30 14:17:47 EST 2006
In article <43dda23f$0$30398$9b622d9e at news.freenet.de>,
"Martin v. Löwis" <martin at v.loewis.de> wrote:
> David wrote:
> > I don't need to do anything except authenticate and gain the correct
> > credentials.
>
> I normally run kinit(1) to determine whether a password is correct.
There's a weakness to that, though. If you're authenticating
a secure service on the Internet, you should do something to
verify that the resulting credentials are in fact valid - that
they can be used in Kerberos authentication. Normally, this
is done with krb5_verify_init_creds(), where the caller uses
the TGT to get a host service ticket, but I guess you could
use GSS ftp or something, anything that uses the TGT.
Otherwise, an attacker can pose as the KDC while logging in,
and give you a TGT regardless of what password was typed in.
Of course such a TGT won't work.
Donn Cave, donn at u.washington.edu
More information about the Python-list
mailing list