1Metadata-Version: 2.1 2Name: kerberos 3Version: 1.3.1 4Summary: Kerberos high-level interface 5Home-page: https://github.com/apple/ccs-pykerberos 6Author: Apple Inc. 7Author-email: calendarserver-dev@lists.macosforge.org 8License: Apache License, Version 2.0 9Description: # PyKerberos Package 10 11 This Python package is a high-level wrapper for Kerberos (GSSAPI) 12 operations. The goal is to avoid having to build a module that wraps 13 the entire Kerberos.framework, and instead offer a limited set of 14 functions that do what is needed for client/server Kerberos 15 authentication based on <http://www.ietf.org/rfc/rfc4559.txt>. 16 17 Much of the C-code here is adapted from Apache's mod_auth_kerb-5.0rc7. 18 19 20 ## Build 21 22 In this directory, run: 23 24 ``` 25 python setup.py build 26 ``` 27 28 ## Testing 29 30 To run the tests in the tests folder, you must have a valid Kerberos setup on 31 the test machine. You can use the script .travis.sh as quick and easy way to 32 setup a Kerberos KDC and Apache web endpoint that can be used for the tests. 33 Otherwise you can also run the following to run a self contained Docker 34 container 35 36 ``` 37 docker run \ 38 -v $(pwd):/app \ 39 -w /app \ 40 -e PYENV=2.7.13 \ 41 -e KERBEROS_USERNAME=administrator \ 42 -e KERBEROS_PASSWORD=Password01 \ 43 -e KERBEROS_REALM=example.com \ 44 -e KERBEROS_PORT=80 \ 45 ubuntu:16.04 \ 46 /bin/bash .travis.sh 47 ``` 48 49 The docker command needs to be run in the same directory as this library and 50 you can test it with different Python versions by changing the value of the 51 PYENV environment value set in the command. 52 53 Please have a look at testing_notes.md for more information. 54 55 56 ## IMPORTANT 57 58 The checkPassword method provided by this library is meant only for testing purposes as it does 59 not offer any protection against possible KDC spoofing. That method should not be used in any 60 production code. 61 62 63 ## Channel Bindings 64 65 You can use this library to authenticate with Channel Binding support. Channel 66 Bindings are tags that identify the particular data channel being used with the 67 authentication. You can use Channel bindings to offer more proof of a valid 68 identity. Some services like Microsoft's Extended Protection can enforce 69 Channel Binding support on authorisation and you can use this library to meet 70 those requirements. 71 72 More details on Channel Bindings as set through the GSSAPI can be found here 73 <https://docs.oracle.com/cd/E19455-01/806-3814/overview-52/index.html>. Using 74 TLS as a example this is how you would add Channel Binding support to your 75 authentication mechanism. The following code snippet is based on RFC5929 76 <https://tools.ietf.org/html/rfc5929> using the 'tls-server-endpoint-point' 77 type. 78 79 ``` 80 import hashlib 81 82 def get_channel_bindings_application_data(socket): 83 # This is a highly simplified example, there are other use cases 84 # where you might need to use different hash types or get a socket 85 # object somehow. 86 server_certificate = socket.getpeercert(True) 87 certificate_hash = hashlib.sha256(server_certificate).hexdigest().upper() 88 certificate_digest = base64.b16decode(certificate_hash) 89 application_data = b'tls-server-end-point:%s' % certificate_digest 90 91 return application_data 92 93 def main(): 94 # Code to setup a socket with the server 95 # A lot of code to setup the handshake and start the auth process 96 socket = getsocketsomehow() 97 98 # Connect to the host and start the auth process 99 100 # Build the channel bindings object 101 application_data = get_channel_bindings_application_data(socket) 102 channel_bindings = kerberos.channelBindings(application_data=application_data) 103 104 # More work to get responses from the server 105 106 result, context = kerberos.authGSSClientInit(kerb_spn, gssflags=gssflags, principal=principal) 107 108 # Pass through the channel_bindings object as created in the kerberos.channelBindings method 109 result = kerberos.authGSSClientStep(context, neg_resp_value, channel_bindings=channel_bindings) 110 111 # Repeat as necessary 112 ``` 113 114 ## Python APIs 115 116 See kerberos.py. 117 118 119 ## Copyright and License 120 121 Copyright (c) 2006-2021 Apple Inc. All rights reserved. 122 123 This software is licensed under the Apache License, Version 2.0. The 124 Apache License is a well-established open source license, enabling 125 collaborative open source software development. 126 127 See the "LICENSE" file for the full text of the license terms. 128 129Platform: all 130Classifier: Development Status :: 5 - Production/Stable 131Classifier: Intended Audience :: Developers 132Classifier: License :: OSI Approved :: Apache Software License 133Classifier: Operating System :: OS Independent 134Classifier: Programming Language :: Python :: 2 135Classifier: Programming Language :: Python :: 3 136Classifier: Topic :: Software Development :: Libraries :: Python Modules 137Classifier: Topic :: System :: Systems Administration :: Authentication/Directory 138Description-Content-Type: text/markdown 139