Skip to main content

Kerberos high-level interface

Project description

PyKerberos Package

This Python package is a high-level wrapper for Kerberos (GSSAPI) operations. The goal is to avoid having to build a module that wraps the entire Kerberos.framework, and instead offer a limited set of functions that do what is needed for client/server Kerberos authentication based on http://www.ietf.org/rfc/rfc4559.txt.

Much of the C-code here is adapted from Apache's mod_auth_kerb-5.0rc7.

Build

In this directory, run:

python setup.py build

Testing

To run the tests in the tests folder, you must have a valid Kerberos setup on the test machine. You can use the script .travis.sh as quick and easy way to setup a Kerberos KDC and Apache web endpoint that can be used for the tests. Otherwise you can also run the following to run a self contained Docker container

docker run \
-v $(pwd):/app \
-w /app \
-e PYENV=2.7.13 \
-e KERBEROS_USERNAME=administrator \
-e KERBEROS_PASSWORD=Password01 \
-e KERBEROS_REALM=example.com \
-e KERBEROS_PORT=80 \
ubuntu:16.04 \
/bin/bash .travis.sh

The docker command needs to be run in the same directory as this library and you can test it with different Python versions by changing the value of the PYENV environment value set in the command.

Please have a look at testing_notes.md for more information.

IMPORTANT

The checkPassword method provided by this library is meant only for testing purposes as it does not offer any protection against possible KDC spoofing. That method should not be used in any production code.

Channel Bindings

You can use this library to authenticate with Channel Binding support. Channel Bindings are tags that identify the particular data channel being used with the authentication. You can use Channel bindings to offer more proof of a valid identity. Some services like Microsoft's Extended Protection can enforce Channel Binding support on authorisation and you can use this library to meet those requirements.

More details on Channel Bindings as set through the GSSAPI can be found here https://docs.oracle.com/cd/E19455-01/806-3814/overview-52/index.html. Using TLS as a example this is how you would add Channel Binding support to your authentication mechanism. The following code snippet is based on RFC5929 https://tools.ietf.org/html/rfc5929 using the 'tls-server-endpoint-point' type.

import hashlib

def get_channel_bindings_application_data(socket):
    # This is a highly simplified example, there are other use cases
    # where you might need to use different hash types or get a socket
    # object somehow.
    server_certificate = socket.getpeercert(True)
    certificate_hash = hashlib.sha256(server_certificate).hexdigest().upper()
    certificate_digest = base64.b16decode(certificate_hash)
    application_data = b'tls-server-end-point:%s' % certificate_digest

    return application_data

def main():
    # Code to setup a socket with the server
    # A lot of code to setup the handshake and start the auth process
    socket = getsocketsomehow()

    # Connect to the host and start the auth process

    # Build the channel bindings object
    application_data = get_channel_bindings_application_data(socket)
    channel_bindings = kerberos.channelBindings(application_data=application_data)

    # More work to get responses from the server

    result, context = kerberos.authGSSClientInit(kerb_spn, gssflags=gssflags, principal=principal)

    # Pass through the channel_bindings object as created in the kerberos.channelBindings method
    result = kerberos.authGSSClientStep(context, neg_resp_value, channel_bindings=channel_bindings)

    # Repeat as necessary

Python APIs

See kerberos.py.

Copyright and License

Copyright (c) 2006-2021 Apple Inc. All rights reserved.

This software is licensed under the Apache License, Version 2.0. The Apache License is a well-established open source license, enabling collaborative open source software development.

See the "LICENSE" file for the full text of the license terms.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

kerberos-1.3.1.tar.gz (19.1 kB view details)

Uploaded Source

Built Distributions

kerberos-1.3.1-cp39-cp39-macosx_10_9_x86_64.whl (20.2 kB view details)

Uploaded CPython 3.9 macOS 10.9+ x86-64

kerberos-1.3.1-cp38-cp38-macosx_10_15_x86_64.whl (33.2 kB view details)

Uploaded CPython 3.8 macOS 10.15+ x86-64

kerberos-1.3.1-cp27-cp27m-macosx_11_1_x86_64.whl (20.3 kB view details)

Uploaded CPython 2.7m macOS 11.1+ x86-64

File details

Details for the file kerberos-1.3.1.tar.gz.

File metadata

  • Download URL: kerberos-1.3.1.tar.gz
  • Upload date:
  • Size: 19.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.3.0 pkginfo/1.6.1 requests/2.25.0 setuptools/51.1.2 requests-toolbelt/0.9.1 tqdm/4.54.1 CPython/3.9.1

File hashes

Hashes for kerberos-1.3.1.tar.gz
Algorithm Hash digest
SHA256 cdd046142a4e0060f96a00eb13d82a5d9ebc0f2d7934393ed559bac773460a2c
MD5 88653e69baece33385e014177d61865d
BLAKE2b-256 39cdf98699a6e806b9d974ea1d3376b91f09edcb90415adbf31e3b56ee99ba64

See more details on using hashes here.

File details

Details for the file kerberos-1.3.1-cp39-cp39-macosx_10_9_x86_64.whl.

File metadata

  • Download URL: kerberos-1.3.1-cp39-cp39-macosx_10_9_x86_64.whl
  • Upload date:
  • Size: 20.2 kB
  • Tags: CPython 3.9, macOS 10.9+ x86-64
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.3.0 pkginfo/1.6.1 requests/2.25.0 setuptools/51.1.2 requests-toolbelt/0.9.1 tqdm/4.54.1 CPython/3.9.1

File hashes

Hashes for kerberos-1.3.1-cp39-cp39-macosx_10_9_x86_64.whl
Algorithm Hash digest
SHA256 2002b3b1541fc51e2c081ee7048f55e5d9ca63dd09f0d7b951c263920db3a0bb
MD5 255c2409de0795669030bbc1e78ac462
BLAKE2b-256 aa9ad10386fa7da4588e61fdafdbac2953576f7de6f693d112c74f09a9749fb6

See more details on using hashes here.

File details

Details for the file kerberos-1.3.1-cp38-cp38-macosx_10_15_x86_64.whl.

File metadata

  • Download URL: kerberos-1.3.1-cp38-cp38-macosx_10_15_x86_64.whl
  • Upload date:
  • Size: 33.2 kB
  • Tags: CPython 3.8, macOS 10.15+ x86-64
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.3.0 pkginfo/1.6.1 requests/2.25.0 setuptools/51.1.2 requests-toolbelt/0.9.1 tqdm/4.54.1 CPython/3.9.1

File hashes

Hashes for kerberos-1.3.1-cp38-cp38-macosx_10_15_x86_64.whl
Algorithm Hash digest
SHA256 2e03c6a9d201d4aab5f899bfb8150de15335955bfce8ca43bfe9a41d7aae54dc
MD5 813b4beec4a4641d7772346d2b6485d8
BLAKE2b-256 69ec7f6d97eccefc748dd2d077b4fa1c608aab0fd0fa3638a7adb7a120408ff7

See more details on using hashes here.

File details

Details for the file kerberos-1.3.1-cp27-cp27m-macosx_11_1_x86_64.whl.

File metadata

  • Download URL: kerberos-1.3.1-cp27-cp27m-macosx_11_1_x86_64.whl
  • Upload date:
  • Size: 20.3 kB
  • Tags: CPython 2.7m, macOS 11.1+ x86-64
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.3.0 pkginfo/1.6.1 requests/2.25.0 setuptools/51.1.2 requests-toolbelt/0.9.1 tqdm/4.54.1 CPython/3.9.1

File hashes

Hashes for kerberos-1.3.1-cp27-cp27m-macosx_11_1_x86_64.whl
Algorithm Hash digest
SHA256 98a695c072efef535cb2b5f98e474d00671588859a94ec96c2c1508a113ff3aa
MD5 6e371565d31df2356bb5674c2b27e119
BLAKE2b-256 3e0e8336794ba89768623aec55aac4424b6db4608bb812f308f9b793093c045d

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page