Is there any workaround for fixing the following issue or any alternative to the kerberos library?
The python-kerberos
checkPassword()method is badly insecure. It does akinit(AS-REQ) to ask a KDC for a TGT for the given user principal, and interprets the success or failure of that as indicating whether the password is correct:
- Security issue: checkPassword is insecure
- Link to CVE entry about this security issue: cve
There is no active response from the maintainers.
Then that's a good opportunity to get rid of the pykerberos library completely and port the application to something more modern, namely the python-gssapi or pyspnego modules.
Merely having the checkPassword function is harmless as long as you don't use it, but of course all of it really indicates that the ccs-pykerberos library as a whole is unmaintained and could be replaced.
If you only need Kerberos-via-SPNEGO, use pyspnego which is cross-platform (it uses either sspilib or python-gssapi underneath).
For more specific Kerberos tasks (e.g. non-SPNEGO-based protocols), python-gssapi is the modern alternative if you want UNIX GSS-API, while sspilib is the equivalent for Windows SSPI.
All of them have a different interface so it's not a straightforward replacement, but generally more pleasant to use. (Whereas pykerberos is basically a clone of the Objective-C API from macOS.)
The last option is to vendor your own copy of ccs-pykerberos and just delete the offending function – it's not like pykerberos is going to change much at this point. (After all, pykerberos is just bindings to libkrb5, and all the security-sensitive code lives in the external libkrb5 library.)