Winkerberos 0.12.0

关于

Windows上Python的本地Kerberos客户端实现。此模块模仿pykerberos的API，使用微软的安全支持提供者接口（SSPI）实现Kerberos认证。它支持Python 3.8+。

安装

WinKerberos位于Python包索引（pypi）中。使用pip安装它

python -m pip install winkerberos

WinKerberos需要Windows 7 / Windows Server 2008 R2或更高版本。

从源代码构建和安装

您必须安装与您的Python版本相对应的正确版本的VC++

• Python 3.8+ - Visual Studio 2015+（任何版本）

安装所需的编译器后，从WinKerberos源代码根目录运行以下命令

pip install .

构建HTML文档

首先安装Sphinx

python -m pip install Sphinx

然后从WinKerberos源代码根目录运行以下命令

pip install -e .
python -m sphinx -b html doc doc/_build

示例

这是遵循RFC-4752第3.1节的完整身份验证会话的简化示例

import winkerberos as kerberos


def send_response_and_receive_challenge(response):
    # Your server communication code here...
    pass


def authenticate_kerberos(service, user, channel_bindings=None):
    # Initialize the context object with a service principal.
    status, ctx = kerberos.authGSSClientInit(service)

    # GSSAPI is a "client goes first" SASL mechanism. Send the
    # first "response" to the server and receive its first
    # challenge.
    if channel_bindings is not None:
        status = kerberos.authGSSClientStep(ctx, "", channel_bindings=channel_bindings)
    else:
        status = kerberos.authGSSClientStep(ctx, "")
    response = kerberos.authGSSClientResponse(ctx)
    challenge = send_response_and_receive_challenge(response)

    # Keep processing challenges and sending responses until
    # authGSSClientStep reports AUTH_GSS_COMPLETE.
    while status == kerberos.AUTH_GSS_CONTINUE:
        if channel_bindings is not None:
            status = kerberos.authGSSClientStep(
                ctx, challenge, channel_bindings=channel_bindings
            )
        else:
            status = kerberos.authGSSClientStep(ctx, challenge)

        response = kerberos.authGSSClientResponse(ctx) or ""
        challenge = send_response_and_receive_challenge(response)

    # Decrypt the server's last challenge
    kerberos.authGSSClientUnwrap(ctx, challenge)
    data = kerberos.authGSSClientResponse(ctx)
    # Encrypt a response including the user principal to authorize.
    kerberos.authGSSClientWrap(ctx, data, user)
    response = kerberos.authGSSClientResponse(ctx)

    # Complete authentication.
    send_response_and_receive_challenge(response)

可以使用cryptography模块生成通道绑定。有关哈希算法选择的规则，请参阅https://tools.ietf.org/html/rfc5929#section-4.1

from cryptography import x509
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes


def channel_bindings(ssl_socket):
    server_certificate = ssl_socket.getpeercert(True)
    cert = x509.load_der_x509_certificate(server_certificate, default_backend())
    hash_algorithm = cert.signature_hash_algorithm
    if hash_algorithm.name in ("md5", "sha1"):
        digest = hashes.Hash(hashes.SHA256(), default_backend())
    else:
        digest = hashes.Hash(hash_algorithm, default_backend())
    digest.update(server_certificate)
    application_data = b"tls-server-end-point:" + digest.finalize()
    return kerberos.channelBindings(application_data=application_data)

在没有Sphinx的情况下查看API文档

在Python交互式外壳中使用帮助函数

>>> import winkerberos
>>> help(winkerberos)