Authenticating to Kerberos

Donn Cave donn at
Mon Jan 30 14:17:47 EST 2006

In article <43dda23f$0$30398$9b622d9e at>,
 "Martin v. Löwis" <martin at> wrote:
> David wrote:
> > I don't need to do anything except authenticate and gain the correct
> > credentials.
> I normally run kinit(1) to determine whether a password is correct.

There's a weakness to that, though.  If you're authenticating
a secure service on the Internet, you should do something to
verify that the resulting credentials are in fact valid - that
they can be used in Kerberos authentication.  Normally, this
is done with krb5_verify_init_creds(), where the caller uses
the TGT to get a host service ticket, but I guess you could
use GSS ftp or something, anything that uses the TGT.

Otherwise, an attacker can pose as the KDC while logging in,
and give you a TGT regardless of what password was typed in.
Of course such a TGT won't work.

   Donn Cave, donn at

More information about the Python-list mailing list