Kerberos Authentication in Python — ELI5

Imagine you want to see three different movies at a cinema complex. At the main entrance, you show your ID once and get a special pass. Then at each individual theater, you show that pass and get a specific movie ticket — without showing your ID again.

That’s how Kerberos works.

There’s a trusted office in the middle called the Key Distribution Center (KDC). When you log into your work computer, your computer talks to the KDC and says “This person knows the right password.” The KDC gives you a special pass called a Ticket-Granting Ticket (TGT). Think of it as proof that you already showed your ID at the entrance.

Now, when you want to access a file server, your computer shows the TGT to the KDC and asks for a ticket to that specific server. The KDC issues a service ticket — like getting a movie ticket for Theater 3.

Your computer hands that service ticket to the file server. The file server can verify the ticket is legit without ever talking to the KDC itself. And here’s the important part: your password never travels across the network. Not to the file server, not even to the KDC. Everything is done with encrypted tickets and secret keys.

This is why in big offices, you log in once in the morning and can access email, file shares, and internal websites all day without typing your password again. The TGT keeps working behind the scenes.

In Python, libraries like gssapi and requests-kerberos let your programs use these tickets to connect to Kerberos-protected services automatically.

The one thing to remember: Kerberos is a ticket system where you prove your identity once and get tickets for each service you need — your actual password never crosses the network.