High level interface to SSPI for Kerberos client auth

Navigation

Project links

Statistics

View statistics for this project via Libraries.io, or by using our public dataset on Google BigQuery

Meta

License: Apache Software License (Apache License, Version 2.0)

Author: Bernie Hackett

Tags Kerberos, SSPI, GSSAPI

Maintainers

Avatar for 10gen from gravatar.com 10gen

Classifiers

Project description

Info:See github for the latest source.
Author: Bernie Hackett <bernie@mongodb.com>

About

A native Kerberos client implementation for Python on Windows. This module mimics the API of pykerberos to implement Kerberos authentication with Microsoft’s Security Support Provider Interface (SSPI). It supports Python 2.6, 2.7, and 3.3+.

Installation

WinKerberos is in the Python Package Index (pypi). Use pip to install it:

python -m pip install winkerberos

WinKerberos requires Windows 7 / Windows Server 2008 R2 or newer.

Building and installing from source

You must have the correct version of VC++ installed for your version of Python:

Once you have the required compiler installed, run the following command from the root directory of the WinKerberos source:

python setup.py install

Building HTML documentation

First install Sphinx:

python -m pip install Sphinx

Then run the following command from the root directory of the WinKerberos source:

python setup.py doc

Examples

This is a simplified example of a complete authentication session following RFC-4752, section 3.1:

import winkerberos as kerberos

def send_response_and_receive_challenge(response):
    # Your server communication code here...
    pass

def authenticate_kerberos(service, user, channel_bindings=None):
    # Initialize the context object with a service principal.
    status, ctx = kerberos.authGSSClientInit(service)

    # GSSAPI is a "client goes first" SASL mechanism. Send the
    # first "response" to the server and recieve its first
    # challenge.
    if channel_bindings is not None:
        status = kerberos.authGSSClientStep(
            ctx, "", channel_bindings=channel_bindings)
    else:
        status = kerberos.authGSSClientStep(ctx, "")
    response = kerberos.authGSSClientResponse(ctx)
    challenge = send_response_and_receive_challenge(response)

    # Keep processing challenges and sending responses until
    # authGSSClientStep reports AUTH_GSS_COMPLETE.
    while status == kerberos.AUTH_GSS_CONTINUE:
        if channel_bindings is not None:
            status = kerberos.authGSSClientStep(
                ctx, challenge, channel_bindings=channel_bindings)
        else:
            status = kerberos.authGSSClientStep(ctx, challenge)

        response = kerberos.authGSSClientResponse(ctx) or ''
        challenge = send_response_and_receive_challenge(response)

    # Decrypt the server's last challenge
    kerberos.authGSSClientUnwrap(ctx, challenge)
    data = kerberos.authGSSClientResponse(ctx)
    # Encrypt a response including the user principal to authorize.
    kerberos.authGSSClientWrap(ctx, data, user)
    response = kerberos.authGSSClientResponse(ctx)

    # Complete authentication.
    send_response_and_receive_challenge(response)

Channel bindings can be generated with help from the cryptography module. See https://tools.ietf.org/html/rfc5929#section-4.1 for the rules regarding hash algorithm choice:

from cryptography import x509
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes

def channel_bindings(ssl_socket):
    server_certificate = ssl_socket.getpeercert(True)
    cert = x509.load_der_x509_certificate(server_certificate, default_backend())
    hash_algorithm = cert.signature_hash_algorithm
    if hash_algorithm.name in ('md5', 'sha1'):
        digest = hashes.Hash(hashes.SHA256(), default_backend())
    else:
        digest = hashes.Hash(hash_algorithm, default_backend())
    digest.update(server_certificate)
    application_data = b"tls-server-end-point:" + digest.finalize()
    return kerberos.channelBindings(application_data=application_data)

Viewing API Documentation without Sphinx

Use the help function in the python interactive shell:

>>> import winkerberos
>>> help(winkerberos)

Project details

Project links

Statistics

View statistics for this project via Libraries.io, or by using our public dataset on Google BigQuery

Meta

License: Apache Software License (Apache License, Version 2.0)

Author: Bernie Hackett

Tags Kerberos, SSPI, GSSAPI

Maintainers

Avatar for 10gen from gravatar.com 10gen

Classifiers


Release history Release notifications | RSS feed

This version

0.7.0

0.6.0

0.5.0

0.4.0

0.3.0

0.2.0

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Files for winkerberos, version 0.7.0
Filename, size File type Python version Upload date Hashes
Filename, size winkerberos-0.7.0-cp26-cp26m-win32.whl (17.9 kB) File type Wheel Python version cp26 Upload date Hashes View
Filename, size winkerberos-0.7.0-cp26-cp26m-win_amd64.whl (19.6 kB) File type Wheel Python version cp26 Upload date Hashes View
Filename, size winkerberos-0.7.0-cp27-cp27m-win32.whl (17.6 kB) File type Wheel Python version cp27 Upload date Hashes View
Filename, size winkerberos-0.7.0-cp27-cp27m-win_amd64.whl (19.3 kB) File type Wheel Python version cp27 Upload date Hashes View
Filename, size winkerberos-0.7.0-cp33-cp33m-win32.whl (17.4 kB) File type Wheel Python version cp33 Upload date Hashes View
Filename, size winkerberos-0.7.0-cp33-cp33m-win_amd64.whl (18.7 kB) File type Wheel Python version cp33 Upload date Hashes View
Filename, size winkerberos-0.7.0-cp34-cp34m-win32.whl (17.4 kB) File type Wheel Python version cp34 Upload date Hashes View
Filename, size winkerberos-0.7.0-cp34-cp34m-win_amd64.whl (18.7 kB) File type Wheel Python version cp34 Upload date Hashes View
Filename, size winkerberos-0.7.0-cp35-cp35m-win32.whl (18.9 kB) File type Wheel Python version cp35 Upload date Hashes View
Filename, size winkerberos-0.7.0-cp35-cp35m-win_amd64.whl (21.3 kB) File type Wheel Python version cp35 Upload date Hashes View
Filename, size winkerberos-0.7.0-cp36-cp36m-win32.whl (18.9 kB) File type Wheel Python version cp36 Upload date Hashes View
Filename, size winkerberos-0.7.0-cp36-cp36m-win_amd64.whl (21.3 kB) File type Wheel Python version cp36 Upload date Hashes View
Filename, size winkerberos-0.7.0-cp37-cp37m-win32.whl (16.3 kB) File type Wheel Python version cp37 Upload date Hashes View
Filename, size winkerberos-0.7.0-cp37-cp37m-win_amd64.whl (19.0 kB) File type Wheel Python version cp37 Upload date Hashes View
Filename, size winkerberos-0.7.0-cp38-cp38-win32.whl (20.6 kB) File type Wheel Python version cp38 Upload date Hashes View
Filename, size winkerberos-0.7.0-cp38-cp38-win_amd64.whl (23.2 kB) File type Wheel Python version cp38 Upload date Hashes View
Filename, size winkerberos-0.7.0.zip (42.2 kB) File type Source Python version None Upload date Hashes View

Supported by

Pingdom Pingdom Monitoring Google Google Object Storage and Download Analytics Sentry Sentry Error logging AWS AWS Cloud computing DataDog DataDog Monitoring Fastly Fastly CDN DigiCert DigiCert EV certificate StatusPage StatusPage Status page