Python GSSAPI Wrapper
Python-GSSAPI provides both low-level and high level wrappers around the GSSAPI C libraries. While it focuses on the Kerberos mechanism, it should also be useable with other GSSAPI mechanisms.
Documentation for the latest released version (including pre-release versions) can be found at https://pythongssapi.github.io/python-gssapi/stable.
Documentation for the latest commit on master can be found at https://pythongssapi.github.io/python-gssapi/latest.
- A working implementation of GSSAPI (such as from MIT Kerberos) which includes header files
- a C compiler (such as GCC)
- either the
enum34Python package or Python 3.4+
Compiling from Scratch
To compile from scratch, you will need Cython >= 0.21.1.
For Running the Tests
nosepackage (for tests)
shouldbepackage (for tests)
$ pip install gssapi
From the Git Repo
After being sure to install all the requirements,
$ git clone https://github.com/pythongssapi/python-gssapi.git $ python setup.py build $ python setup.py install
The tests for for Python-GSSAPI live in
gssapi.tests. In order to
run the tests, you must have an MIT Kerberos installation (including
the KDC). The tests create a self-contained Kerberos setup, so running
the tests will not interfere with any existing Kerberos installations.
Python-GSSAPI is composed of two parts: a low-level C-style API which
thinly wraps the underlying RFC 2744 methods, and a high-level, Pythonic
API (which is itself a wrapper around the low-level API). Examples may
be found in the
The low-level API lives in
gssapi.raw. The methods contained therein
are designed to match closely with the original GSSAPI C methods. All
relevant methods and classes may be imported directly from
Extension methods will only be imported if they are present. The low-level
API follows the given format:
- Names match the RFC 2744 specification, with the
- Parameters which use C int constants as enums have
enum.IntEnumclasses defined, and thus may be passed either the enum members or integers
- In cases where a specific constant is passed in the C API to represent
a default value,
Noneshould be passed instead
- In cases where non-integer constants would be used in the API (i.e. OIDs), enum-like objects have been defined containing named references to values specified in RFC 2744.
- Major and minor error codes are returned by raising
gssapi.raw.GSSError. The major error codes have exceptions defined in in
gssapi.raw.exceptionsto make it easier to catch specific errors or categories of errors.
- All other relevant output values are returned via named tuples.
The high-level API lives directly under
gssapi. The classes
contained in each file are designed to provide a more Pythonic, Object-Oriented
view of GSSAPI. The exceptions from the low-level API, plus several additional
exceptions, live in
gssapi.exceptions. The rest of the classes may be
imported directly from
gssapi. Only classes are exported by
all functions are methods of classes in the high-level API.
Please note that QoP is not supported in the high-level API, since it has been deprecated.
In addition to RFC 2743/2744, Python-GSSAPI also has support for:
- RFC 5587 (Extended GSS Mechanism Inquiry APIs)
- RFC 5588 (GSS-API Extension for Storing Delegated Credentials)
- (Additional) Credential Store Extension
- Credentials import-export
- RFC 6680 (GSS-API Naming Extensions)
- DCE and IOV MIC extensions
(GitHub usernames in parentheses)
- Solly Ross (@directxman12)
- Robbie Harwood (@frozencemetery)
- Simo Sorce (@simo5)
- Hugh Cole-Baker (@sigmaris)