Metadata-Version: 2.1
Name: winkerberos
Version: 0.9.1
Summary: High level interface to SSPI for Kerberos client auth
Home-page: https://github.com/mongodb-labs/winkerberos
Author: Bernie Hackett
Author-email: bernie@mongodb.com
License: Apache License, Version 2.0
Keywords: Kerberos,SSPI,GSSAPI
Platform: Windows
Classifier: Development Status :: 4 - Beta
Classifier: Intended Audience :: Developers
Classifier: License :: OSI Approved :: Apache Software License
Classifier: Operating System :: Microsoft :: Windows
Classifier: Programming Language :: Python :: 2
Classifier: Programming Language :: Python :: 2.7
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.5
Classifier: Programming Language :: Python :: 3.6
Classifier: Programming Language :: Python :: 3.7
Classifier: Programming Language :: Python :: 3.8
Classifier: Programming Language :: Python :: 3.9
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: Implementation :: CPython
Classifier: Topic :: System :: Systems Administration :: Authentication/Directory
Requires-Python: >=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*
License-File: LICENSE

===========
WinKerberos
===========
:Info: See `github <https://github.com/mongodb-labs/winkerberos>`_ for the latest source.
:Author: Bernie Hackett <bernie@mongodb.com>

About
=====

A native Kerberos client implementation for Python on Windows. This module
mimics the API of `pykerberos <https://pypi.python.org/pypi/pykerberos>`_ to
implement Kerberos authentication with Microsoft's Security Support Provider
Interface (SSPI). It supports Python 2.7 and 3.5+.

Installation
============

WinKerberos is in the `Python Package Index (pypi)
<https://pypi.python.org/pypi/winkerberos>`_. Use `pip
<https://pypi.python.org/pypi/pip>`_ to install it::

  python -m pip install winkerberos

WinKerberos requires Windows 7 / Windows Server 2008 R2 or newer.

Building and installing from source
===================================

You must have the correct version of VC++ installed for your version of
Python:

- Python 3.5+ - Visual Studio 2015+ (Any version)
- Python 2.7 - `Microsoft Visual C++ Compiler for Python 2.7`_

.. _`Microsoft Visual C++ Compiler for Python 2.7`: https://www.microsoft.com/en-us/download/details.aspx?id=44266

Once you have the required compiler installed, run the following command from
the root directory of the WinKerberos source::

    python setup.py install

Building HTML documentation
===========================

First install `Sphinx <https://pypi.python.org/pypi/Sphinx>`_::

    python -m pip install Sphinx

Then run the following command from the root directory of the WinKerberos
source::

    python setup.py doc

Examples
========

This is a simplified example of a complete authentication session
following RFC-4752, section 3.1:

.. code-block:: python

    import winkerberos as kerberos

    def send_response_and_receive_challenge(response):
        # Your server communication code here...
        pass

    def authenticate_kerberos(service, user, channel_bindings=None):
        # Initialize the context object with a service principal.
        status, ctx = kerberos.authGSSClientInit(service)

        # GSSAPI is a "client goes first" SASL mechanism. Send the
        # first "response" to the server and recieve its first
        # challenge.
        if channel_bindings is not None:
            status = kerberos.authGSSClientStep(
                ctx, "", channel_bindings=channel_bindings)
        else:
            status = kerberos.authGSSClientStep(ctx, "")
        response = kerberos.authGSSClientResponse(ctx)
        challenge = send_response_and_receive_challenge(response)

        # Keep processing challenges and sending responses until
        # authGSSClientStep reports AUTH_GSS_COMPLETE.
        while status == kerberos.AUTH_GSS_CONTINUE:
            if channel_bindings is not None:
                status = kerberos.authGSSClientStep(
                    ctx, challenge, channel_bindings=channel_bindings)
            else:
                status = kerberos.authGSSClientStep(ctx, challenge)

            response = kerberos.authGSSClientResponse(ctx) or ''
            challenge = send_response_and_receive_challenge(response)

        # Decrypt the server's last challenge
        kerberos.authGSSClientUnwrap(ctx, challenge)
        data = kerberos.authGSSClientResponse(ctx)
        # Encrypt a response including the user principal to authorize.
        kerberos.authGSSClientWrap(ctx, data, user)
        response = kerberos.authGSSClientResponse(ctx)

        # Complete authentication.
        send_response_and_receive_challenge(response)

Channel bindings can be generated with help from the cryptography_ module. See
`<https://tools.ietf.org/html/rfc5929#section-4.1>`_ for the rules regarding
hash algorithm choice:

.. code-block:: python

    from cryptography import x509
    from cryptography.hazmat.backends import default_backend
    from cryptography.hazmat.primitives import hashes

    def channel_bindings(ssl_socket):
        server_certificate = ssl_socket.getpeercert(True)
        cert = x509.load_der_x509_certificate(server_certificate, default_backend())
        hash_algorithm = cert.signature_hash_algorithm
        if hash_algorithm.name in ('md5', 'sha1'):
            digest = hashes.Hash(hashes.SHA256(), default_backend())
        else:
            digest = hashes.Hash(hash_algorithm, default_backend())
        digest.update(server_certificate)
        application_data = b"tls-server-end-point:" + digest.finalize()
        return kerberos.channelBindings(application_data=application_data)


.. _cryptography: https://pypi.python.org/pypi/cryptography

Viewing API Documentation without Sphinx
========================================

Use the help function in the python interactive shell:

.. code-block:: python

    >>> import winkerberos
    >>> help(winkerberos)

