Authenticating to Kerberos

David wrote:

I don't need to do anything except authenticate and gain the correct
credentials.

I normally run kinit(1) to determine whether a password is correct.

Regards,
Martin

David wrote:

Are there any modules that I could use to authenticate against Kerberos
(perhaps there is another module will do just the auth, e.g. for LDAP?).

If you already have a TGT (after kinit) you can use python-ldap (built
with OpenLDAP, cyrus-sasl and heimdal or MIT libs) to authenticate
against an LDAP server with SASL bind and SASL mech GSSAPI. But that's
probably not what you're after.

If you provide more information about your KDC and infrastructure there
might be a solution:
With some tightly integrated configurations a LDAP simple bind against
an LDAP server checks the same "password" as the Kerberos Domain
Controller (e.g. MS AD or heimdal KDC with OpenLDAP backend).

Ciao, Michael.

--
Michael Ströder
E-Mail: mi*****@stroeder.com
http://www.stroeder.com

In article <43***********************@news.freenet.de>,
"Martin v. Löwis" <ma****@v.loewis.de> wrote:

David wrote:

I don't need to do anything except authenticate and gain the correct
credentials.

I normally run kinit(1) to determine whether a password is correct.

There's a weakness to that, though. If you're authenticating
a secure service on the Internet, you should do something to
verify that the resulting credentials are in fact valid - that
they can be used in Kerberos authentication. Normally, this
is done with krb5_verify_init_creds(), where the caller uses
the TGT to get a host service ticket, but I guess you could
use GSS ftp or something, anything that uses the TGT.

Otherwise, an attacker can pose as the KDC while logging in,
and give you a TGT regardless of what password was typed in.
Of course such a TGT won't work.

Donn Cave, do**@u.washington.edu