High level interface to SSPI for Kerberos client auth
Project description
- Info:
See github for the latest source.
About
A native Kerberos client implementation for Python on Windows. This module mimics the API of pykerberos to implement Kerberos authentication with Microsoft’s Security Support Provider Interface (SSPI). It supports Python 3.8+.
Installation
WinKerberos is in the Python Package Index (pypi). Use pip to install it:
python -m pip install winkerberos
WinKerberos requires Windows 7 / Windows Server 2008 R2 or newer.
Building and installing from source
You must have the correct version of VC++ installed for your version of Python:
Python 3.8+ - Visual Studio 2015+ (Any version)
Once you have the required compiler installed, run the following command from the root directory of the WinKerberos source:
pip install .
Building HTML documentation
First install Sphinx:
python -m pip install Sphinx
Then run the following command from the root directory of the WinKerberos source:
pip install -e . python -m sphinx -b html doc doc/_build
Examples
This is a simplified example of a complete authentication session following RFC-4752, section 3.1:
import winkerberos as kerberos
def send_response_and_receive_challenge(response):
# Your server communication code here...
pass
def authenticate_kerberos(service, user, channel_bindings=None):
# Initialize the context object with a service principal.
status, ctx = kerberos.authGSSClientInit(service)
# GSSAPI is a "client goes first" SASL mechanism. Send the
# first "response" to the server and receive its first
# challenge.
if channel_bindings is not None:
status = kerberos.authGSSClientStep(ctx, "", channel_bindings=channel_bindings)
else:
status = kerberos.authGSSClientStep(ctx, "")
response = kerberos.authGSSClientResponse(ctx)
challenge = send_response_and_receive_challenge(response)
# Keep processing challenges and sending responses until
# authGSSClientStep reports AUTH_GSS_COMPLETE.
while status == kerberos.AUTH_GSS_CONTINUE:
if channel_bindings is not None:
status = kerberos.authGSSClientStep(
ctx, challenge, channel_bindings=channel_bindings
)
else:
status = kerberos.authGSSClientStep(ctx, challenge)
response = kerberos.authGSSClientResponse(ctx) or ""
challenge = send_response_and_receive_challenge(response)
# Decrypt the server's last challenge
kerberos.authGSSClientUnwrap(ctx, challenge)
data = kerberos.authGSSClientResponse(ctx)
# Encrypt a response including the user principal to authorize.
kerberos.authGSSClientWrap(ctx, data, user)
response = kerberos.authGSSClientResponse(ctx)
# Complete authentication.
send_response_and_receive_challenge(response)
Channel bindings can be generated with help from the cryptography module. See https://tools.ietf.org/html/rfc5929#section-4.1 for the rules regarding hash algorithm choice:
from cryptography import x509
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes
def channel_bindings(ssl_socket):
server_certificate = ssl_socket.getpeercert(True)
cert = x509.load_der_x509_certificate(server_certificate, default_backend())
hash_algorithm = cert.signature_hash_algorithm
if hash_algorithm.name in ("md5", "sha1"):
digest = hashes.Hash(hashes.SHA256(), default_backend())
else:
digest = hashes.Hash(hash_algorithm, default_backend())
digest.update(server_certificate)
application_data = b"tls-server-end-point:" + digest.finalize()
return kerberos.channelBindings(application_data=application_data)
Viewing API Documentation without Sphinx
Use the help function in the python interactive shell:
>>> import winkerberos
>>> help(winkerberos)
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distributions
Hashes for winkerberos-0.11.0rc4-cp312-cp312-win_amd64.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | c26633f9079d64a4b63b3a057eef1639e6adb8c9889e30b7e5f238995879800c |
|
MD5 | ad8247d0b5d5531587ebed2d61d399f0 |
|
BLAKE2b-256 | fe3078bf9cdf367f5752f7215a6508f2bdc9423a94be8bce1c436dc717d4e99e |
Hashes for winkerberos-0.11.0rc4-cp312-cp312-win32.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 533f9946cc92bf1571fe81d16811adc8cfe7458077c5eef5989946506437cf0a |
|
MD5 | 414f331cd010e40fc3a702eafae81ad9 |
|
BLAKE2b-256 | 2c087797056c3539655e9fa21c3f4a9f142dbabbfa1f9b8fa551b4d5caa6b105 |
Hashes for winkerberos-0.11.0rc4-cp311-cp311-win_amd64.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 061e6d215917922e28611cff438c968fe9ace498335db86b6622986a74875a69 |
|
MD5 | 74b3751d38503796f12e1be5a8142761 |
|
BLAKE2b-256 | e3c58fcf6f839599d526ba96dd235f9c0b5b67f98514e3fbb83e5628df7703cc |
Hashes for winkerberos-0.11.0rc4-cp311-cp311-win32.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 5ae74302c4de6693eb99f1d5a03c2324ef1624bf9fcfa612377f5e235f90c600 |
|
MD5 | fa296c0757017091579325980f6f15e7 |
|
BLAKE2b-256 | ea8cedffb78989b0287423d0534d68869af7e9f992bdf2c17bed81821c095cb0 |
Hashes for winkerberos-0.11.0rc4-cp310-cp310-win_amd64.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 4fc93c121fb1e0a4a164fcfecc65dd1fc291ced5888a2eaccf3f0206297c96ea |
|
MD5 | f35a5d26690e3f754ed5966cfe4a1369 |
|
BLAKE2b-256 | 22f021f49c5ba078825956fd2a1a38d33419f59ea7ce627adce3fe0d3f51196f |
Hashes for winkerberos-0.11.0rc4-cp310-cp310-win32.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | bb1fc2b375e4e0928b1c27f8c5b811bde4515fb778846b2dbb3a1e8f24c64ecc |
|
MD5 | 5e9172389b267360b0f11eeff3d9b82c |
|
BLAKE2b-256 | 3cd1aaebbc85bf3fd9f85e99c66f70e3416b528089ffd325774b9948a4f5b475 |
Hashes for winkerberos-0.11.0rc4-cp39-cp39-win_amd64.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | af8563f1beb8613d91476ae356951c1f13ebea393e843f016fdb52f764979a0d |
|
MD5 | e1202fd55ff8e2892ef6d36d55049ff2 |
|
BLAKE2b-256 | e11ee26cef4ba0d269ecf12c592237d6afae04eb04620f7ede733bd703fbc637 |
Hashes for winkerberos-0.11.0rc4-cp39-cp39-win32.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 24f38fcebf7eea1bbc58514d3c8549bf4b3d9e4388ad247b2e33181ff0629aeb |
|
MD5 | f9eac5c451aa1539a4004fdce6c82897 |
|
BLAKE2b-256 | eacfb45eddcd6bc1ba0c36027b5e9d07ea129303af82175ea01511f3bb156754 |
Hashes for winkerberos-0.11.0rc4-cp38-cp38-win_amd64.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 88c946771a2bbc36711757e96cfa5a5686f09860528e9f9f5b3a26549fe0a68b |
|
MD5 | 0c954e1396293179d0264ab7090eae10 |
|
BLAKE2b-256 | 3a90e1b7c3e76329a3a243dc2ff9687c63ad63d062d9d20aac7a20f613923235 |
Hashes for winkerberos-0.11.0rc4-cp38-cp38-win32.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 8c3e10eb7bcd3badea0c934d00923f09af8087111d95c728c893fbd8bd07ef3a |
|
MD5 | 632d4d1f333b0ec59a4bd1528c3fac0d |
|
BLAKE2b-256 | 29e6dafa5cdce4841d4aef4fd32c28bcb88aac9d81f64fbada46fcee1a74fe21 |