pykerberos (1.1.5-1) unstable; urgency=medium The python-kerberos checkPassword() method has been badly insecure in previous releases. It used to do (and still does by default) a kinit (AS-REQ) to ask a KDC for a TGT for the given user principal, and interprets the success or failure of that as indicating whether the password is correct. It does not, however, verify that it actually spoke to a trusted KDC: an attacker may simply reply instead with an AS-REP which matches the password he just gave you. . Imagine you were verifying a password using LDAP authentication rather than Kerberos: you would, of course, use TLS in conjunction with LDAP to make sure you were talking to a real, trusted LDAP server. The same requirement applies here. kinit is not a password-verification service. . The usual way of doing this is to take the TGT you've obtained with the user's password, and then obtain a ticket for a principal for which the verifier has keys (e.g. a web server processing a username/password form login might get a ticket for its own HTTP/host@REALM principal), which it can then verify. Note that this requires that the verifier has its own Kerberos identity, which is mandated by the symmetric nature of Kerberos (whereas in the LDAP case, the use of public-key cryptography allows anonymous verification). . The fact of pykerberos being susceptible to KDC spoofing attacks has been filed as CVE-2015-3206. . With this version of the pykerberos package a new option is introduced for the checkPassword() method. Setting verify to True when using checkPassword() will perform a KDC verification. For this to work, you need to provide a krb5.keytab file containing service principal keys for the service you intend to use. . As the default krb5.keytab file in /etc is normally not accessible by non-root users/processes, you have to make sure a custom krb5.keytab file containing the correct principal keys is provided to your application using the KRB5_KTNAME environment variable. -- Guido Günther Sat, 22 Aug 2015 12:08:41 +0200