tessl/pypi-gssapi
Python GSSAPI wrapper providing both low-level C-style and high-level Pythonic interfaces for Kerberos and other authentication mechanisms
- Workspace
- tessl
- Visibility
- Public
- Created
- Last updated
- Describes
'%3e%3cpath%20d='M3.389%209.069c0-.009.043-.033.029-.044L.029%207.77l3.287-1.197L6.574%207.77l.106.083.005%204-3.297%201.185V9.068ZM13.582%209.32V2.74l3.405%201.238v4.104L13.583%209.32ZM10.253%2014.66l-3.476%201.268v-4.027l3.476-1.313v4.072ZM10.253%2010.558l-3.476%201.239V7.784l3.476-1.268v4.042ZM10.253%2014.719v3.968L6.777%2020v-3.998l3.476-1.283ZM17%208.139v4.042l-3.418%201.239V9.378L17%208.138ZM3.3%2017.168%200%2015.943v-4.027l3.3%201.224v4.028ZM6.69%2011.916v4.027l-3.302%201.225v-4.072l3.301-1.18ZM6.69%203.743v4.012l-3.33-1.21V2.564l3.33%201.18Z'/%3e%3cpath%20d='M3.3%2013.066%200%2011.842V7.844l3.3%201.224v3.998ZM13.524%209.334l-.175.088.175-.014v4.027l-3.152%201.183-.06-.032v-3.983l1.986-.767-.111.006-1.876.657V6.531l3.213-1.224v4.027Zm-.263.133c-.065.008-.198.023-.233.088.065-.008.198-.023.233-.088Zm-.321.118c-.065.008-.198.023-.233.088.065-.009.198-.023.233-.088Zm-.321.118c-.066.008-.199.023-.234.088.065-.008.199-.023.234-.088ZM13.524%201.266v3.968l-3.213%201.195V2.46l3.213-1.194ZM10.253%202.475v3.968L6.777%207.726V3.743l3.476-1.268ZM8.2%204.458c-.304.064-.627.5-.708.79-.27.963.636%201.081%201.091.364.277-.437.354-1.308-.383-1.154ZM13.524%2013.51v3.983l-3.17%201.177c-.011%200-.043-.067-.043-.07v-3.895l3.213-1.195Zm-.884%201.63c-.495.085-1.068%201.015-.676%201.435.483.517%201.502-.636%201.147-1.246-.098-.169-.286-.221-.47-.19ZM10.165%202.387l-.037.065-3.395%201.249-3.345-1.212L6.88%201.21l3.285%201.178ZM13.437%201.177l-.088.073-3.057%201.127-3.034-1.082-.277-.133L10.151%200l3.286%201.177Z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='a'%3e%3cpath%20fill='%23fff'%20d='M0%200h17v20H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
To install, run
npx @tessl/cli install tessl/pypi-gssapi@1.10.0index.mddocs/
Python GSSAPI
Python GSSAPI provides comprehensive bindings for the Generic Security Service Application Program Interface (GSSAPI), offering both low-level C-style API wrappers that closely match RFC 2744 specifications and high-level Pythonic interfaces for easier integration. The library primarily focuses on Kerberos authentication mechanisms while supporting other GSSAPI mechanisms, includes extensive RFC extensions, provides credential management, security context handling, and message protection capabilities.
Package Information
- Package Name: gssapi
- Language: Python
- Installation:
pip install gssapi - Dependencies: decorator
- Python Version: 3.9+
Core Imports
import gssapiFor high-level API classes (recommended):
from gssapi import Name, Credentials, SecurityContext, MechanismFor low-level raw API access:
import gssapi.raw
from gssapi.raw import names, creds, sec_contexts, messageBasic Usage
import gssapi
# Create a name from a string
name = gssapi.Name('service@hostname.example.com')
# Acquire credentials
creds = gssapi.Credentials(name=name, usage='initiate')
# Initiate a security context
ctx = gssapi.SecurityContext(
name=gssapi.Name('target@hostname.example.com'),
creds=creds,
usage='initiate'
)
# Perform the authentication handshake
token = None
while not ctx.complete:
token = ctx.step(token)
if token:
# Send token to acceptor and receive response
pass
# Wrap and unwrap messages
message = b"Hello, GSSAPI!"
wrapped = ctx.wrap(message, encrypt=True)
unwrapped = ctx.unwrap(wrapped.message)Architecture
Python GSSAPI is structured in two primary layers:
- High-Level API (
gssapi): Object-oriented Pythonic interface with automatic memory management, providing classes for Name, Credentials, SecurityContext, and Mechanism operations. - Low-Level API (
gssapi.raw): Direct C-style bindings matching RFC 2744 specifications, organized into modules for names, credentials, security contexts, messages, and various RFC extensions.
The high-level classes inherit from low-level classes, enabling interoperability between the two APIs. Extensions are dynamically loaded based on GSSAPI implementation support.
Capabilities
Names and Name Management
Name creation, canonicalization, comparison, and RFC 6680 naming extensions for attribute-based name handling and composite name operations.
class Name:
def __new__(cls, base=None, name_type=None, token=None, composite=False): ...
def canonicalize(self, mech): ...
def __str__(self): ...
def __bytes__(self): ...Credential Management
Credential acquisition, delegation, impersonation, import/export, and credential store operations with support for various authentication mechanisms.
class Credentials:
def __new__(cls, base=None, token=None, name=None, lifetime=None, mechs=None, usage='both', store=None): ...
@classmethod
def acquire(cls, name=None, lifetime=None, mechs=None, usage='both', store=None): ...
def add(self, name=None, mech=None, usage='both', init_lifetime=None, accept_lifetime=None): ...Security Context Operations
Security context initiation, acceptance, message protection (wrap/unwrap), MIC operations, and context inquiries for secure communication channels.
class SecurityContext:
def __new__(cls, base=None, token=None, name=None, creds=None, lifetime=None, flags=None, mech=None, channel_bindings=None, usage=None): ...
def step(self, token=None): ...
def wrap(self, message, encrypt=None): ...
def unwrap(self, message, message_buffer=None): ...Low-Level Raw API
Direct C-style GSSAPI bindings following RFC 2744 specifications, providing fine-grained control over GSSAPI operations and access to all extension functions.
def acquire_cred(desired_name=None, lifetime=None, desired_mechs=None, cred_usage=None, store=None): ...
def init_sec_context(creds, context=None, target_name=None, mech=None, req_flags=None, time_req=None, channel_bindings=None, input_token=None): ...
def accept_sec_context(creds, context=None, input_token=None, channel_bindings=None): ...Mechanism Management
GSSAPI mechanism handling, inspection, and selection with support for mechanism attributes and capabilities inquiry.
class Mechanism(gssapi.raw.oids.OID):
def __new__(cls, cpy=None, elements=None): ...
@property
def name_types(self): ...
@property
def sasl_name(self): ... # requires RFC 5801
@property
def description(self): ... # requires RFC 5801
@property
def known_attrs(self): ... # requires RFC 5587
@property
def attrs(self): ... # requires RFC 5587
@classmethod
def all_mechs(cls): ...
@classmethod
def from_name(cls, name): ...
@classmethod
def from_sasl_name(cls, name): ... # requires RFC 5801
@classmethod
def from_attrs(cls, desired_attrs=None, except_attrs=None, critical_attrs=None): ... # requires RFC 5587Extensions and RFCs
Support for numerous GSSAPI extensions including RFC 4178 (Negotiation), RFC 5587 (Mechanism Inquiry), RFC 5588 (Credential Store), RFC 5801 (SASL), RFC 6680 (Naming Extensions), Services4User, DCE/IOV operations, and Kerberos-specific extensions.
# Extension availability varies by GSSAPI implementation
from gssapi.raw.ext_s4u import acquire_cred_impersonate_name
from gssapi.raw.ext_rfc5588 import store_cred
from gssapi.raw.ext_rfc6680 import display_name_ext, get_name_attributeTypes
from gssapi.raw.types import NameType, RequirementFlag, AddressType, MechType, IntEnumFlagSet
from gssapi.raw.oids import OID
class NameType:
hostbased_service: OID
user: OID # user_name
machine_uid: OID # machine_uid_name
string_uid: OID # string_uid_name
anonymous: OID
export: OID
composite_export: OID # RFC 6680 extension
kerberos_principal: OID # Kerberos-specific principal name
class RequirementFlag(IntEnumFlagSet):
delegate_to_peer: int
mutual_authentication: int
replay_detection: int
out_of_sequence_detection: int # sequence_detection
confidentiality: int
integrity: int
anonymity: int # anonymous
protection_ready: int
transferable: int # transfer_ready
ok_as_delegate: int # deleg_policy_flag
channel_bound: int
class MechType:
kerberos: OID
spnego: OID