High level interface to SSPI for Kerberos client auth

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for 10gen from gravatar.com 10gen

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: Apache Software License (Apache License )
  • Author: Bernie Hackett
  • Tags GSSAPI, Kerberos, SSPI
  • Requires: Python >=3.9
Classifiers
Report project as malware

Project description

Info:

See github for the latest source.

Author:

Bernie Hackett <bernie@mongodb.com>

About

A native Kerberos client implementation for Python on Windows. This module mimics the API of pykerberos to implement Kerberos authentication with Microsoft’s Security Support Provider Interface (SSPI). It supports Python 3.9+.

Installation

WinKerberos is in the Python Package Index (pypi). Use pip to install it:

python -m pip install winkerberos

WinKerberos requires Windows 7 / Windows Server 2008 R2 or newer.

Building and installing from source

You must have the correct version of VC++ installed for your version of Python:

  • Python 3.9+ - Visual Studio 2015+ (Any version)

Once you have the required compiler installed, run the following command from the root directory of the WinKerberos source:

pip install .

Building HTML documentation

First install Sphinx:

python -m pip install Sphinx

Then run the following command from the root directory of the WinKerberos source:

pip install -e .
python -m sphinx -b html doc doc/_build

Examples

This is a simplified example of a complete authentication session following RFC-4752, section 3.1:

import winkerberos as kerberos


def send_response_and_receive_challenge(response):
    # Your server communication code here...
    pass


def authenticate_kerberos(service, user, channel_bindings=None):
    # Initialize the context object with a service principal.
    status, ctx = kerberos.authGSSClientInit(service)

    # GSSAPI is a "client goes first" SASL mechanism. Send the
    # first "response" to the server and receive its first
    # challenge.
    if channel_bindings is not None:
        status = kerberos.authGSSClientStep(ctx, "", channel_bindings=channel_bindings)
    else:
        status = kerberos.authGSSClientStep(ctx, "")
    response = kerberos.authGSSClientResponse(ctx)
    challenge = send_response_and_receive_challenge(response)

    # Keep processing challenges and sending responses until
    # authGSSClientStep reports AUTH_GSS_COMPLETE.
    while status == kerberos.AUTH_GSS_CONTINUE:
        if channel_bindings is not None:
            status = kerberos.authGSSClientStep(
                ctx, challenge, channel_bindings=channel_bindings
            )
        else:
            status = kerberos.authGSSClientStep(ctx, challenge)

        response = kerberos.authGSSClientResponse(ctx) or ""
        challenge = send_response_and_receive_challenge(response)

    # Decrypt the server's last challenge
    kerberos.authGSSClientUnwrap(ctx, challenge)
    data = kerberos.authGSSClientResponse(ctx)
    # Encrypt a response including the user principal to authorize.
    kerberos.authGSSClientWrap(ctx, data, user)
    response = kerberos.authGSSClientResponse(ctx)

    # Complete authentication.
    send_response_and_receive_challenge(response)

Channel bindings can be generated with help from the cryptography module. See https://tools.ietf.org/html/rfc5929#section-4.1 for the rules regarding hash algorithm choice:

from cryptography import x509
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes


def channel_bindings(ssl_socket):
    server_certificate = ssl_socket.getpeercert(True)
    cert = x509.load_der_x509_certificate(server_certificate, default_backend())
    hash_algorithm = cert.signature_hash_algorithm
    if hash_algorithm.name in ("md5", "sha1"):
        digest = hashes.Hash(hashes.SHA256(), default_backend())
    else:
        digest = hashes.Hash(hash_algorithm, default_backend())
    digest.update(server_certificate)
    application_data = b"tls-server-end-point:" + digest.finalize()
    return kerberos.channelBindings(application_data=application_data)

Viewing API Documentation without Sphinx

Use the help function in the python interactive shell:

>>> import winkerberos
>>> help(winkerberos)

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for 10gen from gravatar.com 10gen

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: Apache Software License (Apache License )
  • Author: Bernie Hackett
  • Tags GSSAPI, Kerberos, SSPI
  • Requires: Python >=3.9
Classifiers

Release history Release notifications | RSS feed

This version

0.12.2

0.12.1

0.12.0

0.11.0

0.11.0rc4 pre-release

0.11.0rc3 pre-release

0.11.0rc2 pre-release

0.11.0rc1 pre-release

0.11.0.dev0 pre-release

0.10.1rc2 pre-release

0.10.0

0.9.1

0.9.0

0.8.0

0.7.0

0.6.0

0.5.0

0.4.0

0.3.0

0.2.0

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

winkerberos-0.12.2.tar.gz (35.7 kB view details)

Uploaded Source

Built Distributions

winkerberos-0.12.2-cp313-cp313-win_amd64.whl (27.7 kB view details)

Uploaded CPython 3.13 Windows x86-64

winkerberos-0.12.2-cp313-cp313-win32.whl (25.4 kB view details)

Uploaded CPython 3.13 Windows x86

winkerberos-0.12.2-cp312-cp312-win_amd64.whl (27.7 kB view details)

Uploaded CPython 3.12 Windows x86-64

winkerberos-0.12.2-cp312-cp312-win32.whl (25.4 kB view details)

Uploaded CPython 3.12 Windows x86

winkerberos-0.12.2-cp311-cp311-win_amd64.whl (27.7 kB view details)

Uploaded CPython 3.11 Windows x86-64

winkerberos-0.12.2-cp311-cp311-win32.whl (25.3 kB view details)

Uploaded CPython 3.11 Windows x86

winkerberos-0.12.2-cp310-cp310-win_amd64.whl (27.7 kB view details)

Uploaded CPython 3.10 Windows x86-64

winkerberos-0.12.2-cp310-cp310-win32.whl (25.3 kB view details)

Uploaded CPython 3.10 Windows x86

winkerberos-0.12.2-cp39-cp39-win_amd64.whl (27.7 kB view details)

Uploaded CPython 3.9 Windows x86-64

winkerberos-0.12.2-cp39-cp39-win32.whl (25.3 kB view details)

Uploaded CPython 3.9 Windows x86

File details

Details for the file winkerberos-0.12.2.tar.gz.

File metadata

  • Download URL: winkerberos-0.12.2.tar.gz
  • Upload date:
  • Size: 35.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.12.9

File hashes

Hashes for winkerberos-0.12.2.tar.gz
Algorithm Hash digest
SHA256 ff91daed04727a0362892802ee093d8da11f08536393526bdf3bc64e04079faa
MD5 e42e3e40fe5ad35f5c5ea16b4673384d
BLAKE2b-256 2d7586d470935167eb1c40d53498993e14cc021d9611a539d61c9b4202c291ab

See more details on using hashes here.

Provenance

The following attestation bundles were made for winkerberos-0.12.2.tar.gz:

Publisher: release-python.yml on mongodb/winkerberos

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file winkerberos-0.12.2-cp313-cp313-win_amd64.whl.

File metadata

File hashes

Hashes for winkerberos-0.12.2-cp313-cp313-win_amd64.whl
Algorithm Hash digest
SHA256 efd65ba54534512070916cb9c91ef9798a0f9fb0b04e12732c9631e71553fd69
MD5 8c7045a94b901d33762dc00177d372fa
BLAKE2b-256 2a98defb037ad127c4006c4e992dd55ce0df92059626d3df5f5f4c5fc8502c26

See more details on using hashes here.

Provenance

The following attestation bundles were made for winkerberos-0.12.2-cp313-cp313-win_amd64.whl:

Publisher: release-python.yml on mongodb/winkerberos

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file winkerberos-0.12.2-cp313-cp313-win32.whl.

File metadata

File hashes

Hashes for winkerberos-0.12.2-cp313-cp313-win32.whl
Algorithm Hash digest
SHA256 482a72500b7822cc8f941d0c6eed668a24c030ac145c97732e175b51441bebbf
MD5 5182124dc5459e3f07e12fe2ae8b0320
BLAKE2b-256 5f91cff6750c7c3b2a9f35e12cd7c4df901251fc3be985edef707a3458c43e9a

See more details on using hashes here.

Provenance

The following attestation bundles were made for winkerberos-0.12.2-cp313-cp313-win32.whl:

Publisher: release-python.yml on mongodb/winkerberos

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file winkerberos-0.12.2-cp312-cp312-win_amd64.whl.

File metadata

File hashes

Hashes for winkerberos-0.12.2-cp312-cp312-win_amd64.whl
Algorithm Hash digest
SHA256 2c5c7a70c0d4a43546b20d5654e7e7e5e5e96f42084a7f293864f7ad0fb1e953
MD5 0ebf2c9e74ac9ff31cac22c8da55e8fe
BLAKE2b-256 64b16c4a1e4e50553798eb44dbb0d71ba6af48e2a62a0eb01bd0d4e2b41914e3

See more details on using hashes here.

Provenance

The following attestation bundles were made for winkerberos-0.12.2-cp312-cp312-win_amd64.whl:

Publisher: release-python.yml on mongodb/winkerberos

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file winkerberos-0.12.2-cp312-cp312-win32.whl.

File metadata

File hashes

Hashes for winkerberos-0.12.2-cp312-cp312-win32.whl
Algorithm Hash digest
SHA256 46dac1300e20738cbaf6c17c2e4832062ed7faee346c7a96f0e57f8bbe279c25
MD5 8f2d17ee46d2ca065530615269f0378f
BLAKE2b-256 4f0126c5b1435654596c07b314653183ffe42b64ea07041c328f0fd4c68fe9f9

See more details on using hashes here.

Provenance

The following attestation bundles were made for winkerberos-0.12.2-cp312-cp312-win32.whl:

Publisher: release-python.yml on mongodb/winkerberos

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file winkerberos-0.12.2-cp311-cp311-win_amd64.whl.

File metadata

File hashes

Hashes for winkerberos-0.12.2-cp311-cp311-win_amd64.whl
Algorithm Hash digest
SHA256 e6ac2b2cc329a68502821905f6ffe48e109d54a46aba7414ea231a30c75bb2d9
MD5 99ec9a4beaf7d12f3354761db7bd78e3
BLAKE2b-256 23d22bfa1dcdb4a47b7f989a9e758c892bd7393a156b0e1f0df63eca8304e892

See more details on using hashes here.

Provenance

The following attestation bundles were made for winkerberos-0.12.2-cp311-cp311-win_amd64.whl:

Publisher: release-python.yml on mongodb/winkerberos

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file winkerberos-0.12.2-cp311-cp311-win32.whl.

File metadata

File hashes

Hashes for winkerberos-0.12.2-cp311-cp311-win32.whl
Algorithm Hash digest
SHA256 ff2b2ec9b9246bbc05f0d4e6fe5f3f3563237357b9b35eaa58ec1a9ddf349ab8
MD5 ba91d9da7a883fd6082eb04b812dcd5c
BLAKE2b-256 911223b29d359dee9f7a8243cb0040ea1834acd1af8cbc38cfe1c7ca82ab4ec0

See more details on using hashes here.

Provenance

The following attestation bundles were made for winkerberos-0.12.2-cp311-cp311-win32.whl:

Publisher: release-python.yml on mongodb/winkerberos

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file winkerberos-0.12.2-cp310-cp310-win_amd64.whl.

File metadata

File hashes

Hashes for winkerberos-0.12.2-cp310-cp310-win_amd64.whl
Algorithm Hash digest
SHA256 4be3b0de548b80f52a6544dff9d571da6cdfde590176a01477358b3808b12dfa
MD5 7b72484e2072d6d308e584223aed3ef1
BLAKE2b-256 cb7bad32174c3ed4710cd2ad8f20171f5061cb13603f091d714d5aa6b30d51f0

See more details on using hashes here.

Provenance

The following attestation bundles were made for winkerberos-0.12.2-cp310-cp310-win_amd64.whl:

Publisher: release-python.yml on mongodb/winkerberos

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file winkerberos-0.12.2-cp310-cp310-win32.whl.

File metadata

File hashes

Hashes for winkerberos-0.12.2-cp310-cp310-win32.whl
Algorithm Hash digest
SHA256 f8b751bd5a28e6a9146f154bed395c30ce4f245448addc763f98cb8843879027
MD5 d7ab42c9fa5e82bc02eb4fe46fd360fe
BLAKE2b-256 59acc6ce495af45371ffd85a6a3d24c2ced679b8dbcf3b8c6beca093706b1620

See more details on using hashes here.

Provenance

The following attestation bundles were made for winkerberos-0.12.2-cp310-cp310-win32.whl:

Publisher: release-python.yml on mongodb/winkerberos

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file winkerberos-0.12.2-cp39-cp39-win_amd64.whl.

File metadata

File hashes

Hashes for winkerberos-0.12.2-cp39-cp39-win_amd64.whl
Algorithm Hash digest
SHA256 4b908aab5ab42e98bee44eca67dfebe4733d210bccf021e42b669bf4af2005a4
MD5 0c9efa5f777f2830c188ded1493b421b
BLAKE2b-256 6504ae42e839e8d836fde613f94f30395953292a7b9be388247237196d1e5caa

See more details on using hashes here.

Provenance

The following attestation bundles were made for winkerberos-0.12.2-cp39-cp39-win_amd64.whl:

Publisher: release-python.yml on mongodb/winkerberos

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file winkerberos-0.12.2-cp39-cp39-win32.whl.

File metadata

  • Download URL: winkerberos-0.12.2-cp39-cp39-win32.whl
  • Upload date:
  • Size: 25.3 kB
  • Tags: CPython 3.9, Windows x86
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.12.9

File hashes

Hashes for winkerberos-0.12.2-cp39-cp39-win32.whl
Algorithm Hash digest
SHA256 0c80eed53472a38d7f1dd015e27d93705b22a2acd2557bad13d8b5d688037b29
MD5 12af7e9f1288a4f36590ba665b648267
BLAKE2b-256 be17b16e72e0b896cdf05666994cbc402a66f5911d56ea28d4e858714328b698

See more details on using hashes here.

Provenance

The following attestation bundles were made for winkerberos-0.12.2-cp39-cp39-win32.whl:

Publisher: release-python.yml on mongodb/winkerberos

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page