5đź‘Ť
mod_auth_kerb can do two things:
-
Prompt the user for a username and password via HTTP Basic and validate them using Kerberos on the server side, or
-
Allow the browser to authenticate using Kerberos on both sides, via HTTP Negotiate. If the client supports Kerberos, this provides single-signon: the client automatically authenticates to the server via the Kerberos system without prompting for a password, via credentials obtained when the user logged in.
You are doing #1 in your application. It might be useful to move that into Apache, where it can be done once consistently for all apps. #2 you’re not doing at all, but it’s only useful in an environment in which Kerberos infrastructure is available.
A word of warning: I don’t know about the “Python kerberos module,” but it’s very possible that it is not doing password validation securely. Many things which claim to do this do the equivalent of “kinit”: they use the username and password to obtain an initial Kerberos credential (TGT), and claim success if it appears to work. The problem is that they have asked a third party (the Kerberos authentication server (key distribution center), or KDC) to validate the password — but they have not checked that they are actually talking to a real KDC. They might just have received a message from the same user who gave them the password, and the message of course says, “the password is right.” In order to do this properly the verifier needs its own identity in the Kerberos realm (a “principal”), and to take the extra step of using the TGT to obtain a ticket for itself and verifying it; this ensures that the reply is from a genuine KDC.
Another common way of doing this, if your KDCs are Windows domain controllers, is to use LDAP: connect to a domain controller via LDAP and authenticate with the password; the DC will check the password against Kerberos itself. Of course, you have the same problem: you need to verify that you’re talking to a genuine domain controller — but you can do that with TLS via certificates, which may be easier.