Closed divad closed 9 years ago
02strich
commented
9 years ago Hi David,
thank you very much for making me aware of this issue. I have added support for verifying the KDC response to pykerberos and django-auth-kerberos and enabled it by default. This should address the issue, would you agree?
Thanks, Stefan
divad
commented
9 years ago I agree, many thanks.
Have you taken over maintenance of pykerberos from calendarserver.org ? Or is it a fork? I am confused!
divad
commented
9 years ago Okay, I understand now, pykerberos on pypi is a fork of Apple's pykerberos :)
02strich
commented
9 years ago Sorry, yes the pypi version is mine and a fork of the apple one.
Hello,
I have been using python-kerberos for a long time, it looks like a security issue was discovered in it and the documentation was silently changed without really informing anybody who was using it that they should not.
The checkPassword method does not verify the KDC is actually the real KDC. The pypi page now says "The checkPassword method provided by this library is meant only for testing purposes as it does not offer any protection against possible KDC spoofing. That method should not be used in any production code."
And this ticket explains it in more detail: https://www.calendarserver.org/ticket/833
Since django-auth-kerberos uses checkPassword you should probably either work around the problem yourself (although I'm not sure how) or let users know that django-auth-kerberos has the same flaw and should not be used in production code.