High level interface to SSPI for Kerberos client auth
Project description
- Info:
See github for the latest source.
About
A native Kerberos client implementation for Python on Windows. This module mimics the API of pykerberos to implement Kerberos authentication with Microsoft’s Security Support Provider Interface (SSPI). It supports Python 3.7+.
Installation
WinKerberos is in the Python Package Index (pypi). Use pip to install it:
python -m pip install winkerberos
WinKerberos requires Windows 7 / Windows Server 2008 R2 or newer.
Building and installing from source
You must have the correct version of VC++ installed for your version of Python:
Python 3.7+ - Visual Studio 2015+ (Any version)
Once you have the required compiler installed, run the following command from the root directory of the WinKerberos source:
pip install .
Building HTML documentation
First install Sphinx:
python -m pip install Sphinx
Then run the following command from the root directory of the WinKerberos source:
pip install -e . python -m sphinx -b html doc doc/_build
Examples
This is a simplified example of a complete authentication session following RFC-4752, section 3.1:
import winkerberos as kerberos
def send_response_and_receive_challenge(response):
# Your server communication code here...
pass
def authenticate_kerberos(service, user, channel_bindings=None):
# Initialize the context object with a service principal.
status, ctx = kerberos.authGSSClientInit(service)
# GSSAPI is a "client goes first" SASL mechanism. Send the
# first "response" to the server and receive its first
# challenge.
if channel_bindings is not None:
status = kerberos.authGSSClientStep(ctx, "", channel_bindings=channel_bindings)
else:
status = kerberos.authGSSClientStep(ctx, "")
response = kerberos.authGSSClientResponse(ctx)
challenge = send_response_and_receive_challenge(response)
# Keep processing challenges and sending responses until
# authGSSClientStep reports AUTH_GSS_COMPLETE.
while status == kerberos.AUTH_GSS_CONTINUE:
if channel_bindings is not None:
status = kerberos.authGSSClientStep(
ctx, challenge, channel_bindings=channel_bindings
)
else:
status = kerberos.authGSSClientStep(ctx, challenge)
response = kerberos.authGSSClientResponse(ctx) or ""
challenge = send_response_and_receive_challenge(response)
# Decrypt the server's last challenge
kerberos.authGSSClientUnwrap(ctx, challenge)
data = kerberos.authGSSClientResponse(ctx)
# Encrypt a response including the user principal to authorize.
kerberos.authGSSClientWrap(ctx, data, user)
response = kerberos.authGSSClientResponse(ctx)
# Complete authentication.
send_response_and_receive_challenge(response)
Channel bindings can be generated with help from the cryptography module. See https://tools.ietf.org/html/rfc5929#section-4.1 for the rules regarding hash algorithm choice:
from cryptography import x509
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes
def channel_bindings(ssl_socket):
server_certificate = ssl_socket.getpeercert(True)
cert = x509.load_der_x509_certificate(server_certificate, default_backend())
hash_algorithm = cert.signature_hash_algorithm
if hash_algorithm.name in ("md5", "sha1"):
digest = hashes.Hash(hashes.SHA256(), default_backend())
else:
digest = hashes.Hash(hash_algorithm, default_backend())
digest.update(server_certificate)
application_data = b"tls-server-end-point:" + digest.finalize()
return kerberos.channelBindings(application_data=application_data)
Viewing API Documentation without Sphinx
Use the help function in the python interactive shell:
>>> import winkerberos
>>> help(winkerberos)
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distributions
Hashes for winkerberos-0.10.1rc2-cp312-cp312-win_amd64.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | e48ffc7d123ab1e800ce1b52ddef71f136f692b41c6abee51eea804f8dd61d2d |
|
MD5 | 0fe9c53e18ab2dd23578b832933381e7 |
|
BLAKE2b-256 | 969d00760445b3fb2377d6d361825265a502b8d86d787152c84942b85542208e |
Hashes for winkerberos-0.10.1rc2-cp312-cp312-win32.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 3915184cd940a534492003909a1e2f9488d160c7e3c206e8498b5c88b3cc6056 |
|
MD5 | 5e2b4a9b936c460f30a9a99f23cb0129 |
|
BLAKE2b-256 | 9b211ffc69940d2a567b5bcc58eaae677c549f49ee36e4a05eb3148c643e72bb |
Hashes for winkerberos-0.10.1rc2-cp311-cp311-win_amd64.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 6af9fa2445345c393edc6bb56ca2cc225a4b4bb78dd4850f5004240a177cb334 |
|
MD5 | 3a0a0588ff66b532dc238798f76431e2 |
|
BLAKE2b-256 | 8dd59d261f8c02398833cb5f1c14a8b6472700e95084df9c6225e7a74fbc8f02 |
Hashes for winkerberos-0.10.1rc2-cp311-cp311-win32.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | ddbb4daad9a7adee914191c73f4f41747cf249ca03afc8ba7ac4bf3905b4502a |
|
MD5 | 3b6f77580e6c44ef4fac9fb8f8933960 |
|
BLAKE2b-256 | 88e560e3a80076b186693573c1c6c755ca6ddba59accdf524200a9671507c2f7 |
Hashes for winkerberos-0.10.1rc2-cp310-cp310-win_amd64.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | ce738071697f383de0138a772ba0564077be150e5f9b9a5bee7f2eeb1b1cd914 |
|
MD5 | 8d691144f9d6ebb515cfe34d71a775e4 |
|
BLAKE2b-256 | 0644e3e13cfe17e877018c693f24a501735ce7dcb817fe0b3b4cfdd5e5076f06 |
Hashes for winkerberos-0.10.1rc2-cp310-cp310-win32.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 18f7af20b8d6a2a610048053556a73c5f81dafb72701c2a85adac79dfd0cf297 |
|
MD5 | 7ef2c167463583022f3d98820b59dd3f |
|
BLAKE2b-256 | c1637e325af4a25a4ddff7a96e09ca342f049927feed8c812aae70ec01172e13 |
Hashes for winkerberos-0.10.1rc2-cp39-cp39-win_amd64.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | a4e5d97c057c67d0f844a9800d3a7327d623db9b7396fba5c8c4267d6df8af13 |
|
MD5 | 20a5d24028a4924ea1e341ca05383625 |
|
BLAKE2b-256 | 344dd0049a383aa3170bae981b912369f67380b125e22e186e487b69a557e900 |
Hashes for winkerberos-0.10.1rc2-cp39-cp39-win32.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 3c36e4dd2d617370b51a4d26f017fcacf6765eddcaeb7f9b5fd7206e4dd11f6f |
|
MD5 | f7467d3daa8e4e43fdd180df34477ef2 |
|
BLAKE2b-256 | 72faa4ea74aa95c09b7dc90922f0efaa37431f56802941a367953664f62ce595 |
Hashes for winkerberos-0.10.1rc2-cp38-cp38-win_amd64.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 85e8b57f0ab9b771faef01ebbe80b00f8006d74d7531ff8ee084add5320fceb6 |
|
MD5 | 59c5c818ae94b363f240153095d2fb04 |
|
BLAKE2b-256 | 3ccd8fbb3bc91f0fa2f96c0bfe0d2dc1446d2e087e4209700711ad2c3e921eca |
Hashes for winkerberos-0.10.1rc2-cp38-cp38-win32.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 59c799a0f5e2225b09d7c7d6c7c6ebae42be03908e112ae1b1abe6aecfed960c |
|
MD5 | 93f02539f802e89466cee7dcfb5aca99 |
|
BLAKE2b-256 | 24d4774daebbd23abb0e3c1600de0b283a7b1055e7349d89e5102921f004bc2b |
Hashes for winkerberos-0.10.1rc2-cp37-cp37m-win_amd64.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 3909e5b25eb1a46712466ba6f154703626f638dce956c67cdbf05c6501703d6f |
|
MD5 | 60a578b083447fd0a6a908ab3c930ec0 |
|
BLAKE2b-256 | 1d9113b8ea7753817cd19d29f11b12b136d67d6c174b8576fbaacdc36f242fc4 |
Hashes for winkerberos-0.10.1rc2-cp37-cp37m-win32.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 1aa4d8e3ef0bce644f7a152f9afbb37e7b93aec84adf0decc5ed2a51eb396cf5 |
|
MD5 | 2ed52fe98eb468aedfc932ead39dc173 |
|
BLAKE2b-256 | 11086c2327335ef845be7d8d24d76a71a25e4647e79f9876c0e89f1af4e5ac02 |