I'm working on a project for university. I set up a server which has to verify several credentials (username and password) with a kerberos 5 server (which is a seperate server in my network). I don't have to perform any actions with the rights of those users, just check if the combination of username and password is valid. My project is written in python on Ubuntu 18.04 Server.
This question is related to a former question of mine
I managed to verify the credentials with gssapi but somebody told me:
Just an unrelated note -- I don't know how your project is structured, but if you're doing this password verification in the server then it's not really making good use of Kerberos... it's just using the KDC as a dumb credential database but not actually protecting the credentials
What would be the correct/a better way to verify credentials?
That's how I managed to verify:
import gssapi
server_name = gssapi.Name('krbtgt/DOMAIN.COM@')
username = "USERNAME"
password = "PASSWORD"
user = gssapi.Name(base=username, name_type=gssapi.NameType.user)
bpass = password.encode('utf-8')
result = False
try:
creds = gssapi.raw.acquire_cred_with_password(user, bpass, usage='initiate')
creds = creds.creds
context = gssapi.SecurityContext(name=server_name, creds=creds, usage='initiate')
result = True
except AttributeError:
print("AttributeError")
except gssapi.exceptions.GSSError as er:
print(er)
# acquire_cred_with_password returns a wrapper, we want the creds
# object inside this wrapper
print(result)
