[CalendarServer-changes] [13268] PyKerberos/trunk

source_changes at macosforge.org source_changes at macosforge.org
Sun Apr 13 08:09:55 PDT 2014 

Revision: 13268
          http://trac.calendarserver.org//changeset/13268
Author:   cdaboo at apple.com
Date:     2014-04-13 08:09:55 -0700 (Sun, 13 Apr 2014)
Log Message:
-----------
Add warning about use of checkPassword.

Modified Paths:
--------------
    PyKerberos/trunk/README.txt
    PyKerberos/trunk/pysrc/kerberos.py

Modified: PyKerberos/trunk/README.txt
===================================================================
--- PyKerberos/trunk/README.txt	2014-04-13 14:50:07 UTC (rev 13267)
+++ PyKerberos/trunk/README.txt	2014-04-13 15:09:55 UTC (rev 13268)
@@ -44,6 +44,14 @@
     'http at host.example.com')
 
 
+IMPORTANT
+=========
+
+The checkPassword method provided by this library is meant only for testing purposes as it does
+not offer any protection against possible KDC spoofing. That method should not be used in any
+production code.
+
+
 Python APIs
 ===========
 

Modified: PyKerberos/trunk/pysrc/kerberos.py
===================================================================
--- PyKerberos/trunk/pysrc/kerberos.py	2014-04-13 14:50:07 UTC (rev 13267)
+++ PyKerberos/trunk/pysrc/kerberos.py	2014-04-13 15:09:55 UTC (rev 13268)
@@ -38,12 +38,16 @@
     That will likely mean ensuring that the edu.mit.Kerberos preference file has the correct
     realms and KDCs listed.
     
+    IMPORTANT This method is vulnerable to KDC spoofing attacks and it should only used
+    for testing. Do not use this in any production system - your security could be
+    compromised if you do.
+     
     @param user:          a string containing the Kerberos user name. A realm may be
         included by appending an '@' followed by the realm string to the actual user id.
         If no realm is supplied, then the realm set in the default_realm argument will
         be used.
     @param pswd:          a string containing the password for the user.
-    @param service:       a string containging the Kerberos service to check access for.
+    @param service:       a string containing the Kerberos service to check access for.
         This will be of the form 'sss/xx.yy.zz', where 'sss' is the service identifier
         (e.g., 'http', 'krbtgt'), and 'xx.yy.zz' is the hostname of the server.
     @param default_realm: a string containing the default realm to use if one is not
@@ -61,7 +65,7 @@
         If no realm is supplied, then the realm set in the default_realm argument will
         be used.
     @param oldpswd:       a string containing the old (current) password for the user.
-    @param newpswd:       a string containging the new password for the user.
+    @param newpswd:       a string containing the new password for the user.
     @return:              True if password changing succeeds, False otherwise.
     """
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20140413/bf8b0ce5/attachment.html>

More information about the calendarserver-changes mailing list