tessl/pypi-gssapi
Python GSSAPI wrapper providing both low-level C-style and high-level Pythonic interfaces for Kerberos and other authentication mechanisms
- Workspace
- tessl
- Visibility
- Public
- Created
- Last updated
- Describes
'%3e%3cpath%20d='M3.389%209.069c0-.009.043-.033.029-.044L.029%207.77l3.287-1.197L6.574%207.77l.106.083.005%204-3.297%201.185V9.068ZM13.582%209.32V2.74l3.405%201.238v4.104L13.583%209.32ZM10.253%2014.66l-3.476%201.268v-4.027l3.476-1.313v4.072ZM10.253%2010.558l-3.476%201.239V7.784l3.476-1.268v4.042ZM10.253%2014.719v3.968L6.777%2020v-3.998l3.476-1.283ZM17%208.139v4.042l-3.418%201.239V9.378L17%208.138ZM3.3%2017.168%200%2015.943v-4.027l3.3%201.224v4.028ZM6.69%2011.916v4.027l-3.302%201.225v-4.072l3.301-1.18ZM6.69%203.743v4.012l-3.33-1.21V2.564l3.33%201.18Z'/%3e%3cpath%20d='M3.3%2013.066%200%2011.842V7.844l3.3%201.224v3.998ZM13.524%209.334l-.175.088.175-.014v4.027l-3.152%201.183-.06-.032v-3.983l1.986-.767-.111.006-1.876.657V6.531l3.213-1.224v4.027Zm-.263.133c-.065.008-.198.023-.233.088.065-.008.198-.023.233-.088Zm-.321.118c-.065.008-.198.023-.233.088.065-.009.198-.023.233-.088Zm-.321.118c-.066.008-.199.023-.234.088.065-.008.199-.023.234-.088ZM13.524%201.266v3.968l-3.213%201.195V2.46l3.213-1.194ZM10.253%202.475v3.968L6.777%207.726V3.743l3.476-1.268ZM8.2%204.458c-.304.064-.627.5-.708.79-.27.963.636%201.081%201.091.364.277-.437.354-1.308-.383-1.154ZM13.524%2013.51v3.983l-3.17%201.177c-.011%200-.043-.067-.043-.07v-3.895l3.213-1.195Zm-.884%201.63c-.495.085-1.068%201.015-.676%201.435.483.517%201.502-.636%201.147-1.246-.098-.169-.286-.221-.47-.19ZM10.165%202.387l-.037.065-3.395%201.249-3.345-1.212L6.88%201.21l3.285%201.178ZM13.437%201.177l-.088.073-3.057%201.127-3.034-1.082-.277-.133L10.151%200l3.286%201.177Z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='a'%3e%3cpath%20fill='%23fff'%20d='M0%200h17v20H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
To install, run
npx @tessl/cli install tessl/pypi-gssapi@1.10.00
# Python GSSAPI
1
2
Python GSSAPI provides comprehensive bindings for the Generic Security Service Application Program Interface (GSSAPI), offering both low-level C-style API wrappers that closely match RFC 2744 specifications and high-level Pythonic interfaces for easier integration. The library primarily focuses on Kerberos authentication mechanisms while supporting other GSSAPI mechanisms, includes extensive RFC extensions, provides credential management, security context handling, and message protection capabilities.
3
4
## Package Information
5
6
- **Package Name**: gssapi
7
- **Language**: Python
8
- **Installation**: `pip install gssapi`
9
- **Dependencies**: decorator
10
- **Python Version**: 3.9+
11
12
## Core Imports
13
14
```python
15
import gssapi
16
```
17
18
For high-level API classes (recommended):
19
20
```python
21
from gssapi import Name, Credentials, SecurityContext, Mechanism
22
```
23
24
For low-level raw API access:
25
26
```python
27
import gssapi.raw
28
from gssapi.raw import names, creds, sec_contexts, message
29
```
30
31
## Basic Usage
32
33
```python
34
import gssapi
35
36
# Create a name from a string
37
name = gssapi.Name('service@hostname.example.com')
38
39
# Acquire credentials
40
creds = gssapi.Credentials(name=name, usage='initiate')
41
42
# Initiate a security context
43
ctx = gssapi.SecurityContext(
44
name=gssapi.Name('target@hostname.example.com'),
45
creds=creds,
46
usage='initiate'
47
)
48
49
# Perform the authentication handshake
50
token = None
51
while not ctx.complete:
52
token = ctx.step(token)
53
if token:
54
# Send token to acceptor and receive response
55
pass
56
57
# Wrap and unwrap messages
58
message = b"Hello, GSSAPI!"
59
wrapped = ctx.wrap(message, encrypt=True)
60
unwrapped = ctx.unwrap(wrapped.message)
61
```
62
63
## Architecture
64
65
Python GSSAPI is structured in two primary layers:
66
67
- **High-Level API** (`gssapi`): Object-oriented Pythonic interface with automatic memory management, providing classes for Name, Credentials, SecurityContext, and Mechanism operations.
68
- **Low-Level API** (`gssapi.raw`): Direct C-style bindings matching RFC 2744 specifications, organized into modules for names, credentials, security contexts, messages, and various RFC extensions.
69
70
The high-level classes inherit from low-level classes, enabling interoperability between the two APIs. Extensions are dynamically loaded based on GSSAPI implementation support.
71
72
## Capabilities
73
74
### Names and Name Management
75
76
Name creation, canonicalization, comparison, and RFC 6680 naming extensions for attribute-based name handling and composite name operations.
77
78
```python { .api }
79
class Name:
80
def __new__(cls, base=None, name_type=None, token=None, composite=False): ...
81
def canonicalize(self, mech): ...
82
def __str__(self): ...
83
def __bytes__(self): ...
84
```
85
86
[Names and Name Management](./names.md)
87
88
### Credential Management
89
90
Credential acquisition, delegation, impersonation, import/export, and credential store operations with support for various authentication mechanisms.
91
92
```python { .api }
93
class Credentials:
94
def __new__(cls, base=None, token=None, name=None, lifetime=None, mechs=None, usage='both', store=None): ...
95
@classmethod
96
def acquire(cls, name=None, lifetime=None, mechs=None, usage='both', store=None): ...
97
def add(self, name=None, mech=None, usage='both', init_lifetime=None, accept_lifetime=None): ...
98
```
99
100
[Credential Management](./credentials.md)
101
102
### Security Context Operations
103
104
Security context initiation, acceptance, message protection (wrap/unwrap), MIC operations, and context inquiries for secure communication channels.
105
106
```python { .api }
107
class SecurityContext:
108
def __new__(cls, base=None, token=None, name=None, creds=None, lifetime=None, flags=None, mech=None, channel_bindings=None, usage=None): ...
109
def step(self, token=None): ...
110
def wrap(self, message, encrypt=None): ...
111
def unwrap(self, message, message_buffer=None): ...
112
```
113
114
[Security Context Operations](./security-contexts.md)
115
116
### Low-Level Raw API
117
118
Direct C-style GSSAPI bindings following RFC 2744 specifications, providing fine-grained control over GSSAPI operations and access to all extension functions.
119
120
```python { .api }
121
def acquire_cred(desired_name=None, lifetime=None, desired_mechs=None, cred_usage=None, store=None): ...
122
def init_sec_context(creds, context=None, target_name=None, mech=None, req_flags=None, time_req=None, channel_bindings=None, input_token=None): ...
123
def accept_sec_context(creds, context=None, input_token=None, channel_bindings=None): ...
124
```
125
126
[Low-Level Raw API](./raw-api.md)
127
128
### Mechanism Management
129
130
GSSAPI mechanism handling, inspection, and selection with support for mechanism attributes and capabilities inquiry.
131
132
```python { .api }
133
class Mechanism(gssapi.raw.oids.OID):
134
def __new__(cls, cpy=None, elements=None): ...
135
@property
136
def name_types(self): ...
137
@property
138
def sasl_name(self): ... # requires RFC 5801
139
@property
140
def description(self): ... # requires RFC 5801
141
@property
142
def known_attrs(self): ... # requires RFC 5587
143
@property
144
def attrs(self): ... # requires RFC 5587
145
@classmethod
146
def all_mechs(cls): ...
147
@classmethod
148
def from_name(cls, name): ...
149
@classmethod
150
def from_sasl_name(cls, name): ... # requires RFC 5801
151
@classmethod
152
def from_attrs(cls, desired_attrs=None, except_attrs=None, critical_attrs=None): ... # requires RFC 5587
153
```
154
155
### Extensions and RFCs
156
157
Support for numerous GSSAPI extensions including RFC 4178 (Negotiation), RFC 5587 (Mechanism Inquiry), RFC 5588 (Credential Store), RFC 5801 (SASL), RFC 6680 (Naming Extensions), Services4User, DCE/IOV operations, and Kerberos-specific extensions.
158
159
```python { .api }
160
# Extension availability varies by GSSAPI implementation
161
from gssapi.raw.ext_s4u import acquire_cred_impersonate_name
162
from gssapi.raw.ext_rfc5588 import store_cred
163
from gssapi.raw.ext_rfc6680 import display_name_ext, get_name_attribute
164
```
165
166
[Extensions and RFCs](./extensions.md)
167
168
## Types
169
170
```python { .api }
171
from gssapi.raw.types import NameType, RequirementFlag, AddressType, MechType, IntEnumFlagSet
172
from gssapi.raw.oids import OID
173
174
class NameType:
175
hostbased_service: OID
176
user: OID # user_name
177
machine_uid: OID # machine_uid_name
178
string_uid: OID # string_uid_name
179
anonymous: OID
180
export: OID
181
composite_export: OID # RFC 6680 extension
182
kerberos_principal: OID # Kerberos-specific principal name
183
184
class RequirementFlag(IntEnumFlagSet):
185
delegate_to_peer: int
186
mutual_authentication: int
187
replay_detection: int
188
out_of_sequence_detection: int # sequence_detection
189
confidentiality: int
190
integrity: int
191
anonymity: int # anonymous
192
protection_ready: int
193
transferable: int # transfer_ready
194
ok_as_delegate: int # deleg_policy_flag
195
channel_bound: int
196
197
class MechType:
198
kerberos: OID
199
spnego: OID
200
```