| Info: | See github for the latest source. |
|---|---|
| Author: | Bernie Hackett <bernie@mongodb.com> |
A native Kerberos SSPI client implementation. This module mimics the API of pykerberos to implement Kerberos SSPI authentication on Microsoft Windows. It supports Python 2.6, 2.7, and 3.3+.
WinKerberos is in the Python Package Index (pypi). Use pip to install it:
python -m pip install winkerberos
You must have the correct version of VC++ installed for your version of Python:
- Python 2.6 - Microsoft Visual C++ Compiler for Python 2.7
- Python 2.7 - Microsoft Visual C++ Compiler for Python 2.7
- Python 3.3 - Visual Studio 2010 (Professional for 64bit)
- Python 3.4 - Visual Studio 2010 (Professional for 64bit)
- Python 3.5+ - Visual Studio 2015 (Any version)
Once you have the required compiler installed, run the following command from the root directory of the WinKerberos source:
python setup.py install
First install Sphinx:
python -m pip install Sphinx
Then run the following command from the root directory of the WinKerberos source:
python setup.py doc
This is a simplified example of a complete authentication session following RFC-4752, section 3.1:
import winkerberos as kerberos
def get_channel_binding_struct(response):
# This is 'tls-server-end-point:' + certificate hash of the server
# See docstring for channelBindings for more information on how to
# derive this information
application_data = b'tls-server-end-point:D01402E0F16F30ED71B02B655AD71C7B0ADA73DE5FBD8134021A794FFA1EECE8'
channel_bindings = kerberos.channelBindings(application_data=application_data)
return channel_bindings
def send_response_and_receive_challenge(response):
# Your server communication code here...
pass
def authenticate_kerberos(service, user):
# Initialize the context object with a service principal.
status, ctx = kerberos.authGSSClientInit(service)
# GSSAPI is a "client goes first" SASL mechanism. Send the
# first "response" to the server and recieve its first
# challenge.
status = kerberos.authGSSClientStep(ctx, "")
response = kerberos.authGSSClientResponse(ctx)
challenge = send_response_and_receive_challenge(response)
# OPTIONAL - Get Channel Bindings Struct to bind the TLS
# channel to Kerberos Credentials. This is known as extended
# protection in Microsoft. If this step isn't done then
# no bindings are sent as per the normal process
# RFC5929 - Channel Bindings for TLS
channel_bindings = get_channel_binding_struct(response)
# Keep processing challenges and sending responses until
# authGSSClientStep reports AUTH_GSS_COMPLETE.
while status == kerberos.AUTH_GSS_CONTINUE:
# When not wanting to pass in the Channel Bindings Struct
status = kerberos.authGSSClientStep(ctx, challenge)
# When passing in the Channel Bindings Struct
status = kerberos.authGSSClientStep(ctx, challenge,
channel_bindings=channel_bindings)
response = kerberos.authGSSClientResponse(ctx) or ''
challenge = send_response_and_receive_challenge(response)
# Decrypt the server's last challenge
kerberos.authGSSClientUnwrap(ctx, challenge)
data = kerberos.authGSSClientResponse(ctx)
# Encrypt a response including the user principal to authorize.
kerberos.authGSSClientWrap(ctx, data, user)
response = kerberos.authGSSClientResponse(ctx)
# Complete authentication.
send_response_and_receive_challenge(response)Use the help function in the python interactive shell:
>>> import winkerberos
>>> help(winkerberos)