High level interface to SSPI for Kerberos client auth
Project description
- Info:
See github for the latest source.
About
A native Kerberos client implementation for Python on Windows. This module mimics the API of pykerberos to implement Kerberos authentication with Microsoft’s Security Support Provider Interface (SSPI). It supports Python 3.7+.
Installation
WinKerberos is in the Python Package Index (pypi). Use pip to install it:
python -m pip install winkerberos
WinKerberos requires Windows 7 / Windows Server 2008 R2 or newer.
Building and installing from source
You must have the correct version of VC++ installed for your version of Python:
Python 3.7+ - Visual Studio 2015+ (Any version)
Once you have the required compiler installed, run the following command from the root directory of the WinKerberos source:
pip install .
Building HTML documentation
First install Sphinx:
python -m pip install Sphinx
Then run the following command from the root directory of the WinKerberos source:
pip install -e . python -m sphinx -b html doc doc/_build
Examples
This is a simplified example of a complete authentication session following RFC-4752, section 3.1:
import winkerberos as kerberos
def send_response_and_receive_challenge(response):
# Your server communication code here...
pass
def authenticate_kerberos(service, user, channel_bindings=None):
# Initialize the context object with a service principal.
status, ctx = kerberos.authGSSClientInit(service)
# GSSAPI is a "client goes first" SASL mechanism. Send the
# first "response" to the server and recieve its first
# challenge.
if channel_bindings is not None:
status = kerberos.authGSSClientStep(
ctx, "", channel_bindings=channel_bindings)
else:
status = kerberos.authGSSClientStep(ctx, "")
response = kerberos.authGSSClientResponse(ctx)
challenge = send_response_and_receive_challenge(response)
# Keep processing challenges and sending responses until
# authGSSClientStep reports AUTH_GSS_COMPLETE.
while status == kerberos.AUTH_GSS_CONTINUE:
if channel_bindings is not None:
status = kerberos.authGSSClientStep(
ctx, challenge, channel_bindings=channel_bindings)
else:
status = kerberos.authGSSClientStep(ctx, challenge)
response = kerberos.authGSSClientResponse(ctx) or ''
challenge = send_response_and_receive_challenge(response)
# Decrypt the server's last challenge
kerberos.authGSSClientUnwrap(ctx, challenge)
data = kerberos.authGSSClientResponse(ctx)
# Encrypt a response including the user principal to authorize.
kerberos.authGSSClientWrap(ctx, data, user)
response = kerberos.authGSSClientResponse(ctx)
# Complete authentication.
send_response_and_receive_challenge(response)
Channel bindings can be generated with help from the cryptography module. See https://tools.ietf.org/html/rfc5929#section-4.1 for the rules regarding hash algorithm choice:
from cryptography import x509
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes
def channel_bindings(ssl_socket):
server_certificate = ssl_socket.getpeercert(True)
cert = x509.load_der_x509_certificate(server_certificate, default_backend())
hash_algorithm = cert.signature_hash_algorithm
if hash_algorithm.name in ('md5', 'sha1'):
digest = hashes.Hash(hashes.SHA256(), default_backend())
else:
digest = hashes.Hash(hash_algorithm, default_backend())
digest.update(server_certificate)
application_data = b"tls-server-end-point:" + digest.finalize()
return kerberos.channelBindings(application_data=application_data)
Viewing API Documentation without Sphinx
Use the help function in the python interactive shell:
>>> import winkerberos
>>> help(winkerberos)
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distributions
Hashes for winkerberos-0.10.0-cp312-cp312-win_amd64.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | c11691100c43e2d2e04904af0704f222a84d9956f125643bb67d1bcb464d0dcc |
|
MD5 | eb42ecb1c133b6364b904d71cddd3c99 |
|
BLAKE2b-256 | bfbcfd16e77057964b5393ad7c18a14b5773d2d2fc1f439cd934c0bf242c1295 |
Hashes for winkerberos-0.10.0-cp312-cp312-win32.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 382f10b6cf35334f9b3449d375105a1c62419d00f982d90862c094b54be14de2 |
|
MD5 | 782289585d02b4ac307ba0c40b102ca7 |
|
BLAKE2b-256 | 6c8d2db269e783a293cedd20b91a260628e4e62a2815758eec27ec2e4a471174 |
Hashes for winkerberos-0.10.0-cp311-cp311-win_amd64.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 6a02b17d90854b177badaee764960d5f62a403af73265bc6fd6a24d568155ba8 |
|
MD5 | e160ee41a969692848a191ac3150c56d |
|
BLAKE2b-256 | c00f4bd6c9deb894f98c8e4c72a95815fba5a911cdae8e27aac0abb240652343 |
Hashes for winkerberos-0.10.0-cp311-cp311-win32.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 9b8c36f8209236671331598a9f155193db0e62e3d1f27b5f13dccc351a07db80 |
|
MD5 | efc6444d01fd8d8d8bb4ecf78dc19f00 |
|
BLAKE2b-256 | 98b28b6ddb58e5169f27ba89005434ba4f8ecf253035c5e77b5fb34a0cb461c7 |
Hashes for winkerberos-0.10.0-cp310-cp310-win_amd64.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 1c1536afefaba8bebffc6fccf1f62c45f1835f8c132d1eb48ec4652f7a7dacb3 |
|
MD5 | 762c2f6e570599e22cd2888deab85958 |
|
BLAKE2b-256 | 3ad67556a1dcfd90c34cad9e1e335bfb945a5d5452c556fc4dfd605fef460bf3 |
Hashes for winkerberos-0.10.0-cp310-cp310-win32.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | d448097858412a3eaa2cac77caf2651b90518a2cca2dcd9cd5818831bf89b67c |
|
MD5 | 12f6f6bb5213f639ab5f3b9a379d08c8 |
|
BLAKE2b-256 | 8b64d82e6c921e5ab992dd30186d79dd7bea6bce1e9551199f95d7fd6dfa97da |
Hashes for winkerberos-0.10.0-cp39-cp39-win_amd64.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 0e9fbc2a93905eee31835cafb45fd6582c85a063fe10eb2dce49f78bde224c4c |
|
MD5 | 22121c1ba051126792e163565a6f0821 |
|
BLAKE2b-256 | 0e1177e53df1a7de24bae5576965d240d1b49f54febf901ad8d78d8e22120ca1 |
Hashes for winkerberos-0.10.0-cp39-cp39-win32.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 79b7e36c2c87a308d5eb046bcb98758df88e6f5f87c93e1920fb985cdc7b8d0b |
|
MD5 | d29c208534c87b1a3a2602b32c80d10e |
|
BLAKE2b-256 | e846b3ce0a612cdb98410a123770f9ba55463767a9e64cdb90cb4e80366dc89d |
Hashes for winkerberos-0.10.0-cp38-cp38-win_amd64.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 869d98cb4f138056c730f44a3d939983e45a64b7066007e29c97a6f093589c09 |
|
MD5 | 3c621a714f583a9799a5086e7a556e9f |
|
BLAKE2b-256 | a02b7f4b4bc3fcffd7a5295d29608d891a76ca69704721b99150214be701a1fe |
Hashes for winkerberos-0.10.0-cp38-cp38-win32.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 38b47c3815f02335cb60b29d8e3b5000fe4fb0a109979a23dd8c3db1637b49e4 |
|
MD5 | 5f1fbf563e2f43d4052cb54bfa73d70c |
|
BLAKE2b-256 | 1e848360144c5a8f13fa86812f851b1a9a67dbf750d831addb7d4b11a827d758 |
Hashes for winkerberos-0.10.0-cp37-cp37m-win_amd64.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 58c63a11deda20f5ce5e29275da531b99a8bb5f8803a4f1306ebc1ffc2691b27 |
|
MD5 | 893d7df4481c6a0afc2ef866de31ee4c |
|
BLAKE2b-256 | b881eb3eb513058aed7f437b94d9d9307ab9c3dc331331166607d644230050db |
Hashes for winkerberos-0.10.0-cp37-cp37m-win32.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | becbef2729581742641a970e7475cd7a985d7b9481f649ff37af8dae2a54b367 |
|
MD5 | f6203b5be008f09b21e77afadbe834b0 |
|
BLAKE2b-256 | 0761b74d489cf85e57ddad0e9dfebc444b2b354015d44f528077bb9555834bd1 |