High level interface to SSPI for Kerberos client auth
Project description
- Info:
See github for the latest source.
About
A native Kerberos client implementation for Python on Windows. This module mimics the API of pykerberos to implement Kerberos authentication with Microsoft’s Security Support Provider Interface (SSPI). It supports Python 3.8+.
Installation
WinKerberos is in the Python Package Index (pypi). Use pip to install it:
python -m pip install winkerberos
WinKerberos requires Windows 7 / Windows Server 2008 R2 or newer.
Building and installing from source
You must have the correct version of VC++ installed for your version of Python:
Python 3.8+ - Visual Studio 2015+ (Any version)
Once you have the required compiler installed, run the following command from the root directory of the WinKerberos source:
pip install .
Building HTML documentation
First install Sphinx:
python -m pip install Sphinx
Then run the following command from the root directory of the WinKerberos source:
pip install -e . python -m sphinx -b html doc doc/_build
Examples
This is a simplified example of a complete authentication session following RFC-4752, section 3.1:
import winkerberos as kerberos
def send_response_and_receive_challenge(response):
# Your server communication code here...
pass
def authenticate_kerberos(service, user, channel_bindings=None):
# Initialize the context object with a service principal.
status, ctx = kerberos.authGSSClientInit(service)
# GSSAPI is a "client goes first" SASL mechanism. Send the
# first "response" to the server and receive its first
# challenge.
if channel_bindings is not None:
status = kerberos.authGSSClientStep(ctx, "", channel_bindings=channel_bindings)
else:
status = kerberos.authGSSClientStep(ctx, "")
response = kerberos.authGSSClientResponse(ctx)
challenge = send_response_and_receive_challenge(response)
# Keep processing challenges and sending responses until
# authGSSClientStep reports AUTH_GSS_COMPLETE.
while status == kerberos.AUTH_GSS_CONTINUE:
if channel_bindings is not None:
status = kerberos.authGSSClientStep(
ctx, challenge, channel_bindings=channel_bindings
)
else:
status = kerberos.authGSSClientStep(ctx, challenge)
response = kerberos.authGSSClientResponse(ctx) or ""
challenge = send_response_and_receive_challenge(response)
# Decrypt the server's last challenge
kerberos.authGSSClientUnwrap(ctx, challenge)
data = kerberos.authGSSClientResponse(ctx)
# Encrypt a response including the user principal to authorize.
kerberos.authGSSClientWrap(ctx, data, user)
response = kerberos.authGSSClientResponse(ctx)
# Complete authentication.
send_response_and_receive_challenge(response)
Channel bindings can be generated with help from the cryptography module. See https://tools.ietf.org/html/rfc5929#section-4.1 for the rules regarding hash algorithm choice:
from cryptography import x509
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes
def channel_bindings(ssl_socket):
server_certificate = ssl_socket.getpeercert(True)
cert = x509.load_der_x509_certificate(server_certificate, default_backend())
hash_algorithm = cert.signature_hash_algorithm
if hash_algorithm.name in ("md5", "sha1"):
digest = hashes.Hash(hashes.SHA256(), default_backend())
else:
digest = hashes.Hash(hash_algorithm, default_backend())
digest.update(server_certificate)
application_data = b"tls-server-end-point:" + digest.finalize()
return kerberos.channelBindings(application_data=application_data)
Viewing API Documentation without Sphinx
Use the help function in the python interactive shell:
>>> import winkerberos
>>> help(winkerberos)
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distributions
Hashes for winkerberos-0.11.0.dev0-cp312-cp312-win_amd64.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | b2b05257538b5d0b75c8ccb044b28dde94b55db11225d2a9fcede0b146ce7d2e |
|
MD5 | f7442f88e97595ab920e8cca1d894cca |
|
BLAKE2b-256 | ed7b366728b4a8e154838721f4dc9499412f5733ee85e8f76c69946b8ee7e681 |
Hashes for winkerberos-0.11.0.dev0-cp312-cp312-win32.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 2856fb8616dff7f9c60190f86c6108550927a78f642f65c6757f1d96d7ccb300 |
|
MD5 | a4d9132f55a0b94ee542685305eb76ce |
|
BLAKE2b-256 | f49f836302184ffb1ccaf996fc754fead145e3304e0dbb346e52a32baca93f7a |
Hashes for winkerberos-0.11.0.dev0-cp311-cp311-win_amd64.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 26c8553f14c4394e48dff38972c7c74f39f565a64def4dfcf31665667789cffb |
|
MD5 | e721dee330493e11458753d8e3f90e6f |
|
BLAKE2b-256 | f79bdd9f4b0e93f3457365c362854f927c0197d48932d0c0012f5c350aecc965 |
Hashes for winkerberos-0.11.0.dev0-cp311-cp311-win32.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 001b5ab4478dd6aa3b0ce709704ca239e608ca31ff437dac8dd3f562abaf3251 |
|
MD5 | f6359e11c1280125b9e56c55a8cba384 |
|
BLAKE2b-256 | 78902ccbb868aedb0bb53b9b326e9f108cc9fb18c5da3ac782f1562ac5c9bb2a |
Hashes for winkerberos-0.11.0.dev0-cp310-cp310-win_amd64.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | d2563303e5cbb9358ed016b8957cef652eaac6688227bf0adb0ed0c3d6e21f59 |
|
MD5 | d668e6b0410c2c03f9989fc4f13a95f9 |
|
BLAKE2b-256 | ff8773d9854da4b33604281a7ffd6e9c6217bef6469cf4ae481556d9516fa132 |
Hashes for winkerberos-0.11.0.dev0-cp310-cp310-win32.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | a0ecf9bc6d12dd978771a4aa09ad97ffe4a7ffa088d69c3b81d9ebd344ec4697 |
|
MD5 | 94f16daf981e41245e9b79a5d579a9cb |
|
BLAKE2b-256 | f6bd68ec8b6c75b4115d06e0c33f837179ee8c905b39983f178afbf68aa16599 |
Hashes for winkerberos-0.11.0.dev0-cp39-cp39-win_amd64.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 156b30f3605afb14ca2824d58f52e2164dd3fa090bc3fe24cf05bce51d457df8 |
|
MD5 | 3da9f0a279710532f085e5b6f3b92c08 |
|
BLAKE2b-256 | c9e3628677518e64fcaacb5cd3b27b26526d13616e1914446e042c57f2becfe9 |
Hashes for winkerberos-0.11.0.dev0-cp39-cp39-win32.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | a3d5bb76b9ac36139f0e608cb6f6750aa4c15a525a01ffc0ab2c83abcbe81d81 |
|
MD5 | 2a4ee509d5f4eeb1576a95b4b7415055 |
|
BLAKE2b-256 | ed259d7f0672686ef055a7562cb392039b95bed0315c4d57e700a52f5b146b95 |
Hashes for winkerberos-0.11.0.dev0-cp38-cp38-win_amd64.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 53af2eb33b19ef21ced8e4feedc82eeda7dda4a8e2d65a70ec7b4e962ff7dcd1 |
|
MD5 | f7a8b7498d9ba575f768321c6e18fca4 |
|
BLAKE2b-256 | a299ca5c5ef3ea8ee46732c62b98e3c9828acc9289607286ffb4682799a6c389 |
Hashes for winkerberos-0.11.0.dev0-cp38-cp38-win32.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 544fa249bbbe72ec8b54f6778ed220922af6c416b11fcecc530cdd6d661211b3 |
|
MD5 | 13e10db38c548122f28c5ce13b682495 |
|
BLAKE2b-256 | 6f8d6ea26fa4a029595103aa4a48a0ff46f5b769a6b377e7297e7ab74ff0c19e |