<br><font size=2><tt>eichin@metacarta.com wrote on 08/15/2005 12:48:56
PM:<br>
<br>
> <br>
> > I thought one of the key concepts of Kerberos was that the password<br>
> > is only ever sent to the authentication server by a client, and
that<br>
> <br>
> Horrors no. This is one of the common misconceptions about Kerberos.<br>
> The password is *never sent anywhere*. Not to application servers,<br>
> and not to the authentication server either.<br>
> <br>
> Instead, the login client (kinit, or loginwindow or whatever) requests<br>
> an "initial ticket" - and then takes your password, turns
it into a<br>
> key, and uses that key to decrypt the ticket. (There are some
good<br>
> articles on this, I don't want to duplicate them here, and I'm fudging<br>
> around preauth as well.)<br>
> <br>
> An application that uses Kerberos uses that initial ticket to get<br>
> other tickets, and present those to the service - so a client<br>
> *application* that uses kerberos doesn't even ever see the user's<br>
> password.<br>
</tt></font>
<br><font size=2><tt>Thanks for setting me straight. So, I'm unclear on
whether LDAP</tt></font>
<br><font size=2><tt>authentication actually uses Kerberos in some underlying
way</tt></font>
<br><font size=2><tt>(via SASL), or whether it actually sends the password
across the </tt></font>
<br><font size=2><tt>network. Maybe I'm barking up the wrong tree by trying
to use LDAP.</tt></font>
<br>
<br><font size=2 face="sans-serif">A search at developer.apple.com on "Kerberos"
shows many, many articles,</font>
<br><font size=2 face="sans-serif">but I'm unclear where to start. I tried
a Google search on "Python Kerberos",</font>
<br><font size=2 face="sans-serif">and came up with a module called pykpass.
Maybe that will be the next place</font>
<br><font size=2 face="sans-serif">for me to try out...</font>
<br>
<br><font size=2 face="sans-serif">http://www.huque.com/python/pykpass/</font>
<br><font size=2 face="sans-serif"><br>
<b><br>
Brad Allen</b><br>
IT Desktop Support<br>
</font><img src=cid:_2_0B15F44C0B15E3780072201B8625705E><font size=2 color=blue face="sans-serif"><u><br>
</u></font><a href=mailto:brad.allen@omsdal.com><font size=2 color=blue face="sans-serif"><u>brad.allen@omsdal.com</u></font></a>