High level interface to SSPI for Kerberos client auth
Project description
- Info:
See github for the latest source.
About
A native Kerberos client implementation for Python on Windows. This module mimics the API of pykerberos to implement Kerberos authentication with Microsoft’s Security Support Provider Interface (SSPI). It supports Python 3.8+.
Installation
WinKerberos is in the Python Package Index (pypi). Use pip to install it:
python -m pip install winkerberos
WinKerberos requires Windows 7 / Windows Server 2008 R2 or newer.
Building and installing from source
You must have the correct version of VC++ installed for your version of Python:
Python 3.8+ - Visual Studio 2015+ (Any version)
Once you have the required compiler installed, run the following command from the root directory of the WinKerberos source:
pip install .
Building HTML documentation
First install Sphinx:
python -m pip install Sphinx
Then run the following command from the root directory of the WinKerberos source:
pip install -e . python -m sphinx -b html doc doc/_build
Examples
This is a simplified example of a complete authentication session following RFC-4752, section 3.1:
import winkerberos as kerberos
def send_response_and_receive_challenge(response):
# Your server communication code here...
pass
def authenticate_kerberos(service, user, channel_bindings=None):
# Initialize the context object with a service principal.
status, ctx = kerberos.authGSSClientInit(service)
# GSSAPI is a "client goes first" SASL mechanism. Send the
# first "response" to the server and receive its first
# challenge.
if channel_bindings is not None:
status = kerberos.authGSSClientStep(ctx, "", channel_bindings=channel_bindings)
else:
status = kerberos.authGSSClientStep(ctx, "")
response = kerberos.authGSSClientResponse(ctx)
challenge = send_response_and_receive_challenge(response)
# Keep processing challenges and sending responses until
# authGSSClientStep reports AUTH_GSS_COMPLETE.
while status == kerberos.AUTH_GSS_CONTINUE:
if channel_bindings is not None:
status = kerberos.authGSSClientStep(
ctx, challenge, channel_bindings=channel_bindings
)
else:
status = kerberos.authGSSClientStep(ctx, challenge)
response = kerberos.authGSSClientResponse(ctx) or ""
challenge = send_response_and_receive_challenge(response)
# Decrypt the server's last challenge
kerberos.authGSSClientUnwrap(ctx, challenge)
data = kerberos.authGSSClientResponse(ctx)
# Encrypt a response including the user principal to authorize.
kerberos.authGSSClientWrap(ctx, data, user)
response = kerberos.authGSSClientResponse(ctx)
# Complete authentication.
send_response_and_receive_challenge(response)
Channel bindings can be generated with help from the cryptography module. See https://tools.ietf.org/html/rfc5929#section-4.1 for the rules regarding hash algorithm choice:
from cryptography import x509
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes
def channel_bindings(ssl_socket):
server_certificate = ssl_socket.getpeercert(True)
cert = x509.load_der_x509_certificate(server_certificate, default_backend())
hash_algorithm = cert.signature_hash_algorithm
if hash_algorithm.name in ("md5", "sha1"):
digest = hashes.Hash(hashes.SHA256(), default_backend())
else:
digest = hashes.Hash(hash_algorithm, default_backend())
digest.update(server_certificate)
application_data = b"tls-server-end-point:" + digest.finalize()
return kerberos.channelBindings(application_data=application_data)
Viewing API Documentation without Sphinx
Use the help function in the python interactive shell:
>>> import winkerberos
>>> help(winkerberos)
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distributions
Hashes for winkerberos-0.12.0-cp312-cp312-win_amd64.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 22db6871a842d16bb045d93440d0acc98d7690320acd7d7174ae36509ce78198 |
|
MD5 | 06069029e60fd7d1c229acae2e56395e |
|
BLAKE2b-256 | 01e90408c1abd6d599d61709ceecafdb0f8ff725e015b8c5444db62de6466b37 |
Hashes for winkerberos-0.12.0-cp312-cp312-win32.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | f8a9dedd35eda764cd0591d050234a8f381c57a559c16a914de311ed426f6f50 |
|
MD5 | 7d264669e8f544ef92a5f62a14289ac2 |
|
BLAKE2b-256 | 126f1cab2c1685c3cb55a5a6b87c75df33def11b25cf01525021fa4f18c2ba24 |
Hashes for winkerberos-0.12.0-cp311-cp311-win_amd64.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 838fdab8f71905c5a80ee1c868e2c7f3c2fee233113e8e65cd989b353e9a980e |
|
MD5 | 9d60b212e539de59c92a85c89d09987d |
|
BLAKE2b-256 | 24ecd437a005207d3c66bdb22196f954d25716fea21b79d4873873a2cd836946 |
Hashes for winkerberos-0.12.0-cp311-cp311-win32.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 35ed9eedc2551063758756724c345d906b4a68b8d31bc9fd6e935c1eb37c4a35 |
|
MD5 | 2a469514d40f7e2d7eb46f20d05830e4 |
|
BLAKE2b-256 | bf5b5799a0b7b3162b4476443b16c7a12a63ec3dbd9e9e2bf622c5833c27079b |
Hashes for winkerberos-0.12.0-cp310-cp310-win_amd64.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | e479a498ab1f93bde0c0eb880f2c68378272850db51b978c75e9d73148c44f9c |
|
MD5 | dacd4f0a7be2c042855e97f0b6fafe6b |
|
BLAKE2b-256 | 8d47c8e2138e51201f79f9adc73a13a6616c375d0490081b124e2d8eebf21711 |
Hashes for winkerberos-0.12.0-cp310-cp310-win32.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | bb37e91f9959adbeb3c6ae25c828c1d033fa2b1b03176037d7bec0adfbb85b8f |
|
MD5 | 1acccad97a3839cf6683c1ecc1e20997 |
|
BLAKE2b-256 | 7b7169549a95c4077a35819b04f3179292eec7119903ec035995254a41a3622a |
Hashes for winkerberos-0.12.0-cp39-cp39-win_amd64.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 4ffe1b654884e169c88785aa3960cc8dc4f09b757d242b59b3022c632736d2cd |
|
MD5 | 39cde540cb549d377edc623338388c88 |
|
BLAKE2b-256 | 85a9c2319bcf270170ddb9c52105851d7565e6ce7266dc5a3e6cdf97fb6fe43b |
Hashes for winkerberos-0.12.0-cp39-cp39-win32.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 987a16e5fff8b6e1cd2d1a52db92c51ba657a34e6c55b0b7d96247f512ed7444 |
|
MD5 | ca2cf3d94d927e699f8af70a5e9e76c2 |
|
BLAKE2b-256 | 7affb6cd850e9bed012d289cbcf1a2c9f70292c6d2664f65c0b6741877f0f7ec |
Hashes for winkerberos-0.12.0-cp38-cp38-win_amd64.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | fc3c472b964792e70dd9dbc0825259ac780e9f8649a1c9dc26a9b07a02618a6f |
|
MD5 | f85a9b650e80fd0265a29696ada5b227 |
|
BLAKE2b-256 | af69e6e5eb3360f2595c3c44de6b7306ff1b3b8e5bc7c78679f8a0bb39bd8b39 |
Hashes for winkerberos-0.12.0-cp38-cp38-win32.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | ac7eb018c327b38636cb0b05d6c7089ddc64336495156afaa8d029e44806d188 |
|
MD5 | a88f001fe6e2a98529b15f1a14095c53 |
|
BLAKE2b-256 | 0274136b047f873e49d30d183bdc5709d2c5408cb2f57076fb53d0967c2ed74e |