In article <[EMAIL PROTECTED]>, "Martin v. Löwis" <[EMAIL PROTECTED]> wrote: > David wrote: > > I don't need to do anything except authenticate and gain the correct > > credentials. > > I normally run kinit(1) to determine whether a password is correct.
There's a weakness to that, though. If you're authenticating a secure service on the Internet, you should do something to verify that the resulting credentials are in fact valid - that they can be used in Kerberos authentication. Normally, this is done with krb5_verify_init_creds(), where the caller uses the TGT to get a host service ticket, but I guess you could use GSS ftp or something, anything that uses the TGT. Otherwise, an attacker can pose as the KDC while logging in, and give you a TGT regardless of what password was typed in. Of course such a TGT won't work. Donn Cave, [EMAIL PROTECTED]
-- http://mail.python.org/mailman/listinfo/python-list
