Getting a kerberos ticket
Donn Cave
donn at u.washington.edu
Tue Jan 28 20:03:06 EST 2003
More information about the Python-list mailing list
Tue Jan 28 20:03:06 EST 2003
- Previous message (by thread): Getting a kerberos ticket
- Next message (by thread): Getting a kerberos ticket
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Quoth Mike McGavin <jester at NOSPAM.mcsnospam.vuw.netNOSPAM.nz>: | Is anyone able to direct me to a python module for interacting with | kerberos 5? I have a situation where I need to connect to a postgresql | database using kerberos authentication from a python CGI script. | | When connecting locally and interactively I can run kinit beforehand to | authenticate and get the ticket and so on, so there haven't been any | problems. (I've been using PyGreSQL to connect to postgres.) It's more | awkward with a CGI script, though, because it's running in an | independent environment on a web server that I don't have much access to | besides running CGI scripts. There's no way that I can run kinit without | an ugly and inefficient hack that I'd prefer to avoid. | | I think what I need to do is get a ticket issued whenever one is | needed... preferably not every time the script loads, although that | would be a hack I could live with for now. | | Does anyone have any experience with this, and possibly some sample code? I gather that the ID (principal) is always the same here, you're not getting it from the web form. It's too bad you don't have full support on the httpd host. The problem that I'm seeing with any approach that would do this authentication straight from the CGI program, is that this will tend to authenticate the user ID the program runs under, not just the CGI process. You'll acquire some credentials, in a file, and that file and those credentials will be available to any CGI process on the host, assuming they all run as "nobody". So you need your own ID, that you can entrust with these credentials because you know it isn't working for anyone else, and a setuid program that gets the credentials and connects to the database. The setuid program will have to be written in C, though it can invoke a Python program if it's careful. Then you need a keytab file with the principal's password, with access restricted to your application ID (and root of course - there's no way you can do this without giving the web host's admins access to your database.) That can be used periodically to update credentials, via kinit in a cron job, or every time the request runs. A Python module for Kerberos5 is feasible, but seems like it might be the least of your worries (maybe not even worth the installation and maintenance of this C module.) Donn Cave, donn at u.washington.edu
- Previous message (by thread): Getting a kerberos ticket
- Next message (by thread): Getting a kerberos ticket
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Python-list mailing list