[EMAIL PROTECTED] wrote on 08/15/2005 12:48:56 PM:
>
> > I thought one of the key concepts of Kerberos was that the password
> > is only ever sent to the authentication server by a client, and that
>
> Horrors no. This is one of the common misconceptions about Kerberos.
> The password is *never sent anywhere*. Not to application servers,
> and not to the authentication server either.
>
> Instead, the login client (kinit, or loginwindow or whatever) requests
> an "initial ticket" - and then takes your password, turns it into a
> key, and uses that key to decrypt the ticket. (There are some good
> articles on this, I don't want to duplicate them here, and I'm fudging
> around preauth as well.)
>
> An application that uses Kerberos uses that initial ticket to get
> other tickets, and present those to the service - so a client
> *application* that uses kerberos doesn't even ever see the user's
> password.
Thanks for setting me straight. So, I'm unclear on whether LDAP
authentication actually uses Kerberos in some underlying way
(via SASL), or whether it actually sends the password across the
network. Maybe I'm barking up the wrong tree by trying to use LDAP.
A search at developer.apple.com on "Kerberos" shows many, many articles,
but I'm unclear where to start. I tried a Google search on "Python Kerberos",
and came up with a module called pykpass. Maybe that will be the next place
for me to try out...
http://www.huque.com/python/pykpass/
Brad Allen
IT Desktop Support
[EMAIL PROTECTED]
_______________________________________________ Pythonmac-SIG maillist - Pythonmac-SIG@python.org http://mail.python.org/mailman/listinfo/pythonmac-sig
