Skip to content
Permalink
Browse files

Add warning about use of checkPassword.

  • Loading branch information
cyrusdaboo committed Apr 13, 2014
1 parent a2d0f80 commit 9cb61c93f9b24dd18a0a315f3df5445529c5c333
Showing with 14 additions and 2 deletions.
  1. +8 −0 README.txt
  2. +6 −2 pysrc/kerberos.py
@@ -44,6 +44,14 @@ directory. Then run test.py with suitable command line arguments:
'http@host.example.com')


IMPORTANT
=========

The checkPassword method provided by this library is meant only for testing purposes as it does
not offer any protection against possible KDC spoofing. That method should not be used in any
production code.


Python APIs
===========

@@ -38,12 +38,16 @@ def checkPassword(user, pswd, service, default_realm):
That will likely mean ensuring that the edu.mit.Kerberos preference file has the correct
realms and KDCs listed.
IMPORTANT This method is vulnerable to KDC spoofing attacks and it should only used
for testing. Do not use this in any production system - your security could be
compromised if you do.
@param user: a string containing the Kerberos user name. A realm may be
included by appending an '@' followed by the realm string to the actual user id.
If no realm is supplied, then the realm set in the default_realm argument will
be used.
@param pswd: a string containing the password for the user.
@param service: a string containging the Kerberos service to check access for.
@param service: a string containing the Kerberos service to check access for.
This will be of the form 'sss/xx.yy.zz', where 'sss' is the service identifier
(e.g., 'http', 'krbtgt'), and 'xx.yy.zz' is the hostname of the server.
@param default_realm: a string containing the default realm to use if one is not
@@ -61,7 +65,7 @@ def changePassword(user, oldpswd, newpswd):
If no realm is supplied, then the realm set in the default_realm argument will
be used.
@param oldpswd: a string containing the old (current) password for the user.
@param newpswd: a string containging the new password for the user.
@param newpswd: a string containing the new password for the user.
@return: True if password changing succeeds, False otherwise.
"""

0 comments on commit 9cb61c9

Please sign in to comment.
You can’t perform that action at this time.