1Metadata-Version: 2.1
2Name: kerberos
3Version: 1.3.1
4Summary: Kerberos high-level interface
5Home-page: https://github.com/apple/ccs-pykerberos
6Author: Apple Inc.
7Author-email: calendarserver-dev@lists.macosforge.org
8License: Apache License, Version 2.0
9Description: # PyKerberos Package
10
11        This Python package is a high-level wrapper for Kerberos (GSSAPI)
12        operations.  The goal is to avoid having to build a module that wraps
13        the entire Kerberos.framework, and instead offer a limited set of
14        functions that do what is needed for client/server Kerberos
15        authentication based on <http://www.ietf.org/rfc/rfc4559.txt>.
16
17        Much of the C-code here is adapted from Apache's mod_auth_kerb-5.0rc7.
18
19
20        ## Build
21
22        In this directory, run:
23
24        ```
25        python setup.py build
26        ```
27
28        ## Testing
29
30        To run the tests in the tests folder, you must have a valid Kerberos setup on
31        the test machine. You can use the script .travis.sh as quick and easy way to
32        setup a Kerberos KDC and Apache web endpoint that can be used for the tests.
33        Otherwise you can also run the following to run a self contained Docker
34        container
35
36        ```
37        docker run \
38        -v $(pwd):/app \
39        -w /app \
40        -e PYENV=2.7.13 \
41        -e KERBEROS_USERNAME=administrator \
42        -e KERBEROS_PASSWORD=Password01 \
43        -e KERBEROS_REALM=example.com \
44        -e KERBEROS_PORT=80 \
45        ubuntu:16.04 \
46        /bin/bash .travis.sh
47        ```
48
49        The docker command needs to be run in the same directory as this library and
50        you can test it with different Python versions by changing the value of the
51        PYENV environment value set in the command.
52
53        Please have a look at testing_notes.md for more information.
54
55
56        ## IMPORTANT
57
58        The checkPassword method provided by this library is meant only for testing purposes as it does
59        not offer any protection against possible KDC spoofing. That method should not be used in any
60        production code.
61
62
63        ## Channel Bindings
64
65        You can use this library to authenticate with Channel Binding support. Channel
66        Bindings are tags that identify the particular data channel being used with the
67        authentication. You can use Channel bindings to offer more proof of a valid
68        identity. Some services like Microsoft's Extended Protection can enforce
69        Channel Binding support on authorisation and you can use this library to meet
70        those requirements.
71
72        More details on Channel Bindings as set through the GSSAPI can be found here
73        <https://docs.oracle.com/cd/E19455-01/806-3814/overview-52/index.html>. Using
74        TLS as a example this is how you would add Channel Binding support to your
75        authentication mechanism. The following code snippet is based on RFC5929
76        <https://tools.ietf.org/html/rfc5929> using the 'tls-server-endpoint-point'
77        type.
78
79        ```
80        import hashlib
81
82        def get_channel_bindings_application_data(socket):
83            # This is a highly simplified example, there are other use cases
84            # where you might need to use different hash types or get a socket
85            # object somehow.
86            server_certificate = socket.getpeercert(True)
87            certificate_hash = hashlib.sha256(server_certificate).hexdigest().upper()
88            certificate_digest = base64.b16decode(certificate_hash)
89            application_data = b'tls-server-end-point:%s' % certificate_digest
90
91            return application_data
92
93        def main():
94            # Code to setup a socket with the server
95            # A lot of code to setup the handshake and start the auth process
96            socket = getsocketsomehow()
97
98            # Connect to the host and start the auth process
99
100            # Build the channel bindings object
101            application_data = get_channel_bindings_application_data(socket)
102            channel_bindings = kerberos.channelBindings(application_data=application_data)
103
104            # More work to get responses from the server
105
106            result, context = kerberos.authGSSClientInit(kerb_spn, gssflags=gssflags, principal=principal)
107
108            # Pass through the channel_bindings object as created in the kerberos.channelBindings method
109            result = kerberos.authGSSClientStep(context, neg_resp_value, channel_bindings=channel_bindings)
110
111            # Repeat as necessary
112        ```
113
114        ## Python APIs
115
116        See kerberos.py.
117
118
119        ## Copyright and License
120
121        Copyright (c) 2006-2021 Apple Inc.  All rights reserved.
122
123        This software is licensed under the Apache License, Version 2.0.  The
124        Apache License is a well-established open source license, enabling
125        collaborative open source software development.
126
127        See the "LICENSE" file for the full text of the license terms.
128
129Platform: all
130Classifier: Development Status :: 5 - Production/Stable
131Classifier: Intended Audience :: Developers
132Classifier: License :: OSI Approved :: Apache Software License
133Classifier: Operating System :: OS Independent
134Classifier: Programming Language :: Python :: 2
135Classifier: Programming Language :: Python :: 3
136Classifier: Topic :: Software Development :: Libraries :: Python Modules
137Classifier: Topic :: System :: Systems Administration :: Authentication/Directory
138Description-Content-Type: text/markdown
139