Skip to main content

High level interface to SSPI for Kerberos client auth

Project description

Info:

See github for the latest source.

Author:

Bernie Hackett <bernie@mongodb.com>

About

A native Kerberos client implementation for Python on Windows. This module mimics the API of pykerberos to implement Kerberos authentication with Microsoft’s Security Support Provider Interface (SSPI). It supports Python 3.8+.

Installation

WinKerberos is in the Python Package Index (pypi). Use pip to install it:

python -m pip install winkerberos

WinKerberos requires Windows 7 / Windows Server 2008 R2 or newer.

Building and installing from source

You must have the correct version of VC++ installed for your version of Python:

  • Python 3.8+ - Visual Studio 2015+ (Any version)

Once you have the required compiler installed, run the following command from the root directory of the WinKerberos source:

pip install .

Building HTML documentation

First install Sphinx:

python -m pip install Sphinx

Then run the following command from the root directory of the WinKerberos source:

pip install -e .
python -m sphinx -b html doc doc/_build

Examples

This is a simplified example of a complete authentication session following RFC-4752, section 3.1:

import winkerberos as kerberos


def send_response_and_receive_challenge(response):
    # Your server communication code here...
    pass


def authenticate_kerberos(service, user, channel_bindings=None):
    # Initialize the context object with a service principal.
    status, ctx = kerberos.authGSSClientInit(service)

    # GSSAPI is a "client goes first" SASL mechanism. Send the
    # first "response" to the server and receive its first
    # challenge.
    if channel_bindings is not None:
        status = kerberos.authGSSClientStep(ctx, "", channel_bindings=channel_bindings)
    else:
        status = kerberos.authGSSClientStep(ctx, "")
    response = kerberos.authGSSClientResponse(ctx)
    challenge = send_response_and_receive_challenge(response)

    # Keep processing challenges and sending responses until
    # authGSSClientStep reports AUTH_GSS_COMPLETE.
    while status == kerberos.AUTH_GSS_CONTINUE:
        if channel_bindings is not None:
            status = kerberos.authGSSClientStep(
                ctx, challenge, channel_bindings=channel_bindings
            )
        else:
            status = kerberos.authGSSClientStep(ctx, challenge)

        response = kerberos.authGSSClientResponse(ctx) or ""
        challenge = send_response_and_receive_challenge(response)

    # Decrypt the server's last challenge
    kerberos.authGSSClientUnwrap(ctx, challenge)
    data = kerberos.authGSSClientResponse(ctx)
    # Encrypt a response including the user principal to authorize.
    kerberos.authGSSClientWrap(ctx, data, user)
    response = kerberos.authGSSClientResponse(ctx)

    # Complete authentication.
    send_response_and_receive_challenge(response)

Channel bindings can be generated with help from the cryptography module. See https://tools.ietf.org/html/rfc5929#section-4.1 for the rules regarding hash algorithm choice:

from cryptography import x509
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes


def channel_bindings(ssl_socket):
    server_certificate = ssl_socket.getpeercert(True)
    cert = x509.load_der_x509_certificate(server_certificate, default_backend())
    hash_algorithm = cert.signature_hash_algorithm
    if hash_algorithm.name in ("md5", "sha1"):
        digest = hashes.Hash(hashes.SHA256(), default_backend())
    else:
        digest = hashes.Hash(hash_algorithm, default_backend())
    digest.update(server_certificate)
    application_data = b"tls-server-end-point:" + digest.finalize()
    return kerberos.channelBindings(application_data=application_data)

Viewing API Documentation without Sphinx

Use the help function in the python interactive shell:

>>> import winkerberos
>>> help(winkerberos)

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

winkerberos-0.12.0.tar.gz (35.6 kB view details)

Uploaded Source

Built Distributions

winkerberos-0.12.0-cp312-cp312-win_amd64.whl (27.7 kB view details)

Uploaded CPython 3.12 Windows x86-64

winkerberos-0.12.0-cp312-cp312-win32.whl (25.4 kB view details)

Uploaded CPython 3.12 Windows x86

winkerberos-0.12.0-cp311-cp311-win_amd64.whl (27.6 kB view details)

Uploaded CPython 3.11 Windows x86-64

winkerberos-0.12.0-cp311-cp311-win32.whl (25.3 kB view details)

Uploaded CPython 3.11 Windows x86

winkerberos-0.12.0-cp310-cp310-win_amd64.whl (27.6 kB view details)

Uploaded CPython 3.10 Windows x86-64

winkerberos-0.12.0-cp310-cp310-win32.whl (25.3 kB view details)

Uploaded CPython 3.10 Windows x86

winkerberos-0.12.0-cp39-cp39-win_amd64.whl (27.6 kB view details)

Uploaded CPython 3.9 Windows x86-64

winkerberos-0.12.0-cp39-cp39-win32.whl (25.3 kB view details)

Uploaded CPython 3.9 Windows x86

winkerberos-0.12.0-cp38-cp38-win_amd64.whl (27.6 kB view details)

Uploaded CPython 3.8 Windows x86-64

winkerberos-0.12.0-cp38-cp38-win32.whl (25.3 kB view details)

Uploaded CPython 3.8 Windows x86

File details

Details for the file winkerberos-0.12.0.tar.gz.

File metadata

  • Download URL: winkerberos-0.12.0.tar.gz
  • Upload date:
  • Size: 35.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/5.1.1 CPython/3.12.6

File hashes

Hashes for winkerberos-0.12.0.tar.gz
Algorithm Hash digest
SHA256 b19b9b8c87ab9dc76bb325f0dd4e93a2d669abc68d2283eec25ed67176ad7ad3
MD5 5708f757c02872f1c4a9a0c6de82a009
BLAKE2b-256 2d4f8db9aae372e88031877067a9d8da027d6e67454d233177cb49198ab216a5

See more details on using hashes here.

Provenance

File details

Details for the file winkerberos-0.12.0-cp312-cp312-win_amd64.whl.

File metadata

File hashes

Hashes for winkerberos-0.12.0-cp312-cp312-win_amd64.whl
Algorithm Hash digest
SHA256 22db6871a842d16bb045d93440d0acc98d7690320acd7d7174ae36509ce78198
MD5 06069029e60fd7d1c229acae2e56395e
BLAKE2b-256 01e90408c1abd6d599d61709ceecafdb0f8ff725e015b8c5444db62de6466b37

See more details on using hashes here.

Provenance

File details

Details for the file winkerberos-0.12.0-cp312-cp312-win32.whl.

File metadata

File hashes

Hashes for winkerberos-0.12.0-cp312-cp312-win32.whl
Algorithm Hash digest
SHA256 f8a9dedd35eda764cd0591d050234a8f381c57a559c16a914de311ed426f6f50
MD5 7d264669e8f544ef92a5f62a14289ac2
BLAKE2b-256 126f1cab2c1685c3cb55a5a6b87c75df33def11b25cf01525021fa4f18c2ba24

See more details on using hashes here.

Provenance

File details

Details for the file winkerberos-0.12.0-cp311-cp311-win_amd64.whl.

File metadata

File hashes

Hashes for winkerberos-0.12.0-cp311-cp311-win_amd64.whl
Algorithm Hash digest
SHA256 838fdab8f71905c5a80ee1c868e2c7f3c2fee233113e8e65cd989b353e9a980e
MD5 9d60b212e539de59c92a85c89d09987d
BLAKE2b-256 24ecd437a005207d3c66bdb22196f954d25716fea21b79d4873873a2cd836946

See more details on using hashes here.

Provenance

File details

Details for the file winkerberos-0.12.0-cp311-cp311-win32.whl.

File metadata

File hashes

Hashes for winkerberos-0.12.0-cp311-cp311-win32.whl
Algorithm Hash digest
SHA256 35ed9eedc2551063758756724c345d906b4a68b8d31bc9fd6e935c1eb37c4a35
MD5 2a469514d40f7e2d7eb46f20d05830e4
BLAKE2b-256 bf5b5799a0b7b3162b4476443b16c7a12a63ec3dbd9e9e2bf622c5833c27079b

See more details on using hashes here.

Provenance

File details

Details for the file winkerberos-0.12.0-cp310-cp310-win_amd64.whl.

File metadata

File hashes

Hashes for winkerberos-0.12.0-cp310-cp310-win_amd64.whl
Algorithm Hash digest
SHA256 e479a498ab1f93bde0c0eb880f2c68378272850db51b978c75e9d73148c44f9c
MD5 dacd4f0a7be2c042855e97f0b6fafe6b
BLAKE2b-256 8d47c8e2138e51201f79f9adc73a13a6616c375d0490081b124e2d8eebf21711

See more details on using hashes here.

Provenance

File details

Details for the file winkerberos-0.12.0-cp310-cp310-win32.whl.

File metadata

File hashes

Hashes for winkerberos-0.12.0-cp310-cp310-win32.whl
Algorithm Hash digest
SHA256 bb37e91f9959adbeb3c6ae25c828c1d033fa2b1b03176037d7bec0adfbb85b8f
MD5 1acccad97a3839cf6683c1ecc1e20997
BLAKE2b-256 7b7169549a95c4077a35819b04f3179292eec7119903ec035995254a41a3622a

See more details on using hashes here.

Provenance

File details

Details for the file winkerberos-0.12.0-cp39-cp39-win_amd64.whl.

File metadata

File hashes

Hashes for winkerberos-0.12.0-cp39-cp39-win_amd64.whl
Algorithm Hash digest
SHA256 4ffe1b654884e169c88785aa3960cc8dc4f09b757d242b59b3022c632736d2cd
MD5 39cde540cb549d377edc623338388c88
BLAKE2b-256 85a9c2319bcf270170ddb9c52105851d7565e6ce7266dc5a3e6cdf97fb6fe43b

See more details on using hashes here.

Provenance

File details

Details for the file winkerberos-0.12.0-cp39-cp39-win32.whl.

File metadata

  • Download URL: winkerberos-0.12.0-cp39-cp39-win32.whl
  • Upload date:
  • Size: 25.3 kB
  • Tags: CPython 3.9, Windows x86
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/5.1.1 CPython/3.12.6

File hashes

Hashes for winkerberos-0.12.0-cp39-cp39-win32.whl
Algorithm Hash digest
SHA256 987a16e5fff8b6e1cd2d1a52db92c51ba657a34e6c55b0b7d96247f512ed7444
MD5 ca2cf3d94d927e699f8af70a5e9e76c2
BLAKE2b-256 7affb6cd850e9bed012d289cbcf1a2c9f70292c6d2664f65c0b6741877f0f7ec

See more details on using hashes here.

Provenance

File details

Details for the file winkerberos-0.12.0-cp38-cp38-win_amd64.whl.

File metadata

File hashes

Hashes for winkerberos-0.12.0-cp38-cp38-win_amd64.whl
Algorithm Hash digest
SHA256 fc3c472b964792e70dd9dbc0825259ac780e9f8649a1c9dc26a9b07a02618a6f
MD5 f85a9b650e80fd0265a29696ada5b227
BLAKE2b-256 af69e6e5eb3360f2595c3c44de6b7306ff1b3b8e5bc7c78679f8a0bb39bd8b39

See more details on using hashes here.

Provenance

File details

Details for the file winkerberos-0.12.0-cp38-cp38-win32.whl.

File metadata

  • Download URL: winkerberos-0.12.0-cp38-cp38-win32.whl
  • Upload date:
  • Size: 25.3 kB
  • Tags: CPython 3.8, Windows x86
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/5.1.1 CPython/3.12.6

File hashes

Hashes for winkerberos-0.12.0-cp38-cp38-win32.whl
Algorithm Hash digest
SHA256 ac7eb018c327b38636cb0b05d6c7089ddc64336495156afaa8d029e44806d188
MD5 a88f001fe6e2a98529b15f1a14095c53
BLAKE2b-256 0274136b047f873e49d30d183bdc5709d2c5408cb2f57076fb53d0967c2ed74e

See more details on using hashes here.

Provenance

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page