High level interface to SSPI for Kerberos client auth

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for 10gen from gravatar.com 10gen

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: Apache Software License (Apache License )
  • Author: Bernie Hackett
  • Tags GSSAPI , Kerberos , SSPI
  • Requires: Python >=3.10
Classifiers
Report project as malware

Project description

Info:

See github for the latest source.

Author:

Bernie Hackett <bernie@mongodb.com>

About

A native Kerberos client implementation for Python on Windows. This module mimics the API of pykerberos to implement Kerberos authentication with Microsoft’s Security Support Provider Interface (SSPI). It supports Python 3.10+.

Installation

WinKerberos is in the Python Package Index (pypi). Use pip to install it:

python -m pip install winkerberos

WinKerberos requires Windows 7 / Windows Server 2008 R2 or newer.

Building and installing from source

You must have the correct version of VC++ installed for your version of Python:

  • Python 3.10+ - Visual Studio 2015+ (Any version)

Once you have the required compiler installed, run the following command from the root directory of the WinKerberos source:

pip install .

Building HTML documentation

First install Sphinx:

python -m pip install Sphinx

Then run the following command from the root directory of the WinKerberos source:

pip install -e .
python -m sphinx -b html doc doc/_build

Examples

This is a simplified example of a complete authentication session following RFC-4752, section 3.1:

import winkerberos as kerberos


def send_response_and_receive_challenge(response):
    # Your server communication code here...
    pass


def authenticate_kerberos(service, user, channel_bindings=None):
    # Initialize the context object with a service principal.
    status, ctx = kerberos.authGSSClientInit(service)

    # GSSAPI is a "client goes first" SASL mechanism. Send the
    # first "response" to the server and receive its first
    # challenge.
    if channel_bindings is not None:
        status = kerberos.authGSSClientStep(ctx, "", channel_bindings=channel_bindings)
    else:
        status = kerberos.authGSSClientStep(ctx, "")
    response = kerberos.authGSSClientResponse(ctx)
    challenge = send_response_and_receive_challenge(response)

    # Keep processing challenges and sending responses until
    # authGSSClientStep reports AUTH_GSS_COMPLETE.
    while status == kerberos.AUTH_GSS_CONTINUE:
        if channel_bindings is not None:
            status = kerberos.authGSSClientStep(
                ctx, challenge, channel_bindings=channel_bindings
            )
        else:
            status = kerberos.authGSSClientStep(ctx, challenge)

        response = kerberos.