[Pythonmac-SIG] Active Directory authentication on Mac using Python
eichin@metacarta.com
eichin at metacarta.com
Mon Aug 15 19:48:56 CEST 2005
> I thought one of the key concepts of Kerberos was that the password
> is only ever sent to the authentication server by a client, and that
Horrors no. This is one of the common misconceptions about Kerberos.
The password is *never sent anywhere*. Not to application servers,
and not to the authentication server either.
Instead, the login client (kinit, or loginwindow or whatever) requests
an "initial ticket" - and then takes your password, turns it into a
key, and uses that key to decrypt the ticket. (There are some good
articles on this, I don't want to duplicate them here, and I'm fudging
around preauth as well.)
An application that uses Kerberos uses that initial ticket to get
other tickets, and present those to the service - so a client
*application* that uses kerberos doesn't even ever see the user's
password.
More information about the Pythonmac-SIG
mailing list