Getting a kerberos ticket

Donn Cave donn at u.washington.edu
Wed Jan 29 02:03:06 CET 2003


Quoth Mike McGavin <jester at NOSPAM.mcsnospam.vuw.netNOSPAM.nz>:
| Is anyone able to direct me to a python module for interacting with 
| kerberos 5? I have a situation where I need to connect to a postgresql 
| database using kerberos authentication from a python CGI script.
|
| When connecting locally and interactively I can run kinit beforehand to 
| authenticate and get the ticket and so on, so there haven't been any 
| problems. (I've been using PyGreSQL to connect to postgres.) It's more 
| awkward with a CGI script, though, because it's running in an 
| independent environment on a web server that I don't have much access to 
| besides running CGI scripts. There's no way that I can run kinit without 
| an ugly and inefficient hack that I'd prefer to avoid.
|
| I think what I need to do is get a ticket issued whenever one is 
| needed... preferably not every time the script loads, although that 
| would be a hack I could live with for now.
|
| Does anyone have any experience with this, and possibly some sample code?

I gather that the ID (principal) is always the same here, you're not
getting it from the web form.

It's too bad you don't have full support on the httpd host.  The
problem that I'm seeing with any approach that would do this
authentication straight from the CGI program, is that this will
tend to authenticate the user ID the program runs under, not just
the CGI process.  You'll acquire some credentials, in a file, and
that file and those credentials will be available to any CGI process
on the host, assuming they all run as "nobody".

So you need your own ID, that you can entrust with these credentials
because you know it isn't working for anyone else, and a setuid program
that gets the credentials and connects to the database.  The setuid
program will have to be written in C, though it can invoke a Python
program if it's careful.

Then you need a keytab file with the principal's password, with access
restricted to your application ID (and root of course - there's no way
you can do this without giving the web host's admins access to your
database.)  That can be used periodically to update credentials, via
kinit in a cron job, or every time the request runs.

A Python module for Kerberos5 is feasible, but seems like it might be
the least of your worries (maybe not even worth the installation and
maintenance of this C module.)

	Donn Cave, donn at u.washington.edu




More information about the Python-list mailing list