tessl/pypi-gssapi
Python GSSAPI wrapper providing both low-level C-style and high-level Pythonic interfaces for Kerberos and other authentication mechanisms
—
Pending
credentials.mddocs/
Credential Management
GSSAPI credentials represent authentication tokens that can be used to establish security contexts. The Credentials class provides comprehensive credential management including acquisition, delegation, impersonation, and storage operations.
Capabilities
Credential Acquisition
Acquire credentials for authentication with various options for lifetime, mechanisms, and usage.
class Credentials(gssapi.raw.creds.Creds):
def __new__(cls, base=None, token=None, name=None, lifetime=None, mechs=None, usage='both', store=None):
"""
Create or acquire credentials.
Parameters:
- base: existing Creds object to wrap
- token: bytes, imported credential token
- name: Name object, principal for credentials
- lifetime: int, credential lifetime in seconds
- mechs: iterable of OID, desired mechanisms
- usage: str, 'initiate', 'accept', or 'both'
- store: dict, credential store parameters
Returns:
Credentials object
"""
@classmethod
def acquire(cls, name=None, lifetime=None, mechs=None, usage='both', store=None):
"""
Acquire credentials explicitly.
Parameters:
- name: Name object, principal for credentials (None for default)
- lifetime: int, desired credential lifetime in seconds
- mechs: iterable of OID, desired mechanisms
- usage: str, 'initiate', 'accept', or 'both'
- store: dict, credential store parameters
Returns:
AcquireCredResult: creds, mechs, lifetime
"""Usage example:
import gssapi
# Acquire default credentials
creds = gssapi.Credentials()
# Acquire credentials for specific principal
name = gssapi.Name('service@hostname.example.com')
creds = gssapi.Credentials(name=name, usage='initiate', lifetime=3600)
# Acquire with specific mechanisms
creds = gssapi.Credentials(
name=name,
mechs=[gssapi.MechType.kerberos],
usage='both'
)
# Acquire from credential store
store_params = {'ccache': 'FILE:/tmp/krb5cc_custom'}
creds = gssapi.Credentials(name=name, store=store_params)Credential Properties
Access credential metadata including name, lifetime, mechanisms, and usage.
@property
def name(self):
"""Get the name associated with the credentials."""
@property
def lifetime(self):
"""Get remaining credential lifetime in seconds."""
@property
def mechs(self):
"""Get set of mechanisms for the credentials."""
@property
def usage(self):
"""Get credential usage type."""Usage example:
import gssapi
creds = gssapi.Credentials()
print(f"Principal: {creds.name}")
print(f"Lifetime: {creds.lifetime} seconds")
print(f"Mechanisms: {creds.mechs}")
print(f"Usage: {creds.usage}")Credential Addition
Add credentials to an existing credential set with different mechanisms or principals.
def add(self, name, mech, usage='both', init_lifetime=None, accept_lifetime=None, impersonator=None, store=None):
"""
Add credentials to the credential set.
Parameters:
- name: Name object, required principal name
- mech: OID, required mechanism to add
- usage: str, 'initiate', 'accept', or 'both'
- init_lifetime: int, initiate lifetime in seconds
- accept_lifetime: int, accept lifetime in seconds
- impersonator: Credentials, credentials for impersonation (requires S4U)
- store: dict, credential store parameters (requires cred_store)
Returns:
Credentials: new credential set with added credentials
"""Credential Inquiries
Query detailed information about credentials including per-mechanism details.
def inquire(self, name=True, lifetime=True, usage=True, mechs=True):
"""
Inquire about credential information.
Parameters:
- name: bool, include name information
- lifetime: bool, include lifetime information
- usage: bool, include usage information
- mechs: bool, include mechanism information
Returns:
InquireCredResult: name, lifetime, usage, mechs
"""
def inquire_by_mech(self, mech, name=True, init_lifetime=True, accept_lifetime=True, usage=True):
"""
Inquire about credentials for a specific mechanism.
Parameters:
- mech: OID, mechanism to query
- name: bool, include name information
- init_lifetime: bool, include initiate lifetime
- accept_lifetime: bool, include accept lifetime
- usage: bool, include usage information
Returns:
InquireCredByMechResult: name, init_lifetime, accept_lifetime, usage
"""Services4User (S4U) - Impersonation
Acquire credentials by impersonating another user (requires S4U extension).
@classmethod
def impersonate(cls, name, target_name, mechs=None, usage='initiate', lifetime=None):
"""
Acquire credentials by impersonating another principal.
Parameters:
- name: Name, impersonator principal
- target_name: Name, principal to impersonate
- mechs: iterable of OID, desired mechanisms
- usage: str, credential usage
- lifetime: int, desired lifetime in seconds
Returns:
Credentials object
Requires S4U extension.
"""Usage example:
import gssapi
# Impersonate a user (requires appropriate privileges)
service_name = gssapi.Name('service@hostname.example.com')
user_name = gssapi.Name('user@REALM.EXAMPLE.COM')
impersonated_creds = gssapi.Credentials.impersonate(
name=service_name,
target_name=user_name,
usage='initiate'
)Credential Storage and Retrieval
Store credentials in credential stores and retrieve them later (requires credential store extensions).
def store(self, store=None, usage='both', overwrite=True):
"""
Store credentials in a credential store.
Parameters:
- store: dict, credential store parameters
- usage: str, which credentials to store
- overwrite: bool, whether to overwrite existing credentials
Returns:
StoreCredResult: mechs, usage
Requires RFC 5588 or credential store extension.
"""
@classmethod
def from_store(cls, name=None, store=None, usage='both', mechs=None):
"""
Acquire credentials from a credential store.
Parameters:
- name: Name, principal name
- store: dict, credential store parameters
- usage: str, credential usage
- mechs: iterable of OID, desired mechanisms
Returns:
Credentials object
Requires credential store extension.
"""Usage example:
import gssapi
# Store credentials
creds = gssapi.Credentials()
store_params = {'ccache': 'FILE:/tmp/krb5cc_stored'}
result = creds.store(store=store_params)
# Retrieve credentials from store
retrieved_creds = gssapi.Credentials.from_store(store=store_params)Password-Based Authentication
Acquire credentials using username and password (requires password extension).
@classmethod
def from_password(cls, name, password, mechs=None, usage='both', lifetime=None):
"""
Acquire credentials using password authentication.
Parameters:
- name: Name, principal name
- password: str or bytes, password
- mechs: iterable of OID, desired mechanisms
- usage: str, credential usage
- lifetime: int, desired lifetime in seconds
Returns:
Credentials object
Requires password extension.
"""
def add_with_password(self, name, password, mech=None, usage='both', init_lifetime=None, accept_lifetime=None):
"""
Add credentials using password authentication.
Parameters:
- name: Name, principal name
- password: str or bytes, password
- mech: OID, mechanism
- usage: str, credential usage
- init_lifetime: int, initiate lifetime
- accept_lifetime: int, accept lifetime
Returns:
AddCredResult: creds, mechs, init_lifetime, accept_lifetime
Requires password extension.
"""Credential Import and Export
Import and export credentials as tokens for transport or storage (requires credential import/export extension).
def export(self):
"""
Export credentials to a token.
Returns:
bytes: Exported credential token
Requires credential import/export extension.
"""
@classmethod
def from_token(cls, token):
"""
Import credentials from a token.
Parameters:
- token: bytes, exported credential token
Returns:
Credentials object
Requires credential import/export extension.
"""Pickle Support
Credentials can be pickled and unpickled if the credential import/export extension is available.
import pickle
import gssapi
# Pickle credentials (requires import/export extension)
creds = gssapi.Credentials()
pickled_creds = pickle.dumps(creds)
# Unpickle credentials
restored_creds = pickle.loads(pickled_creds)Low-Level Raw API Functions
Direct access to underlying C-style GSSAPI credential functions.
# From gssapi.raw.creds module
def acquire_cred(desired_name=None, lifetime=None, desired_mechs=None, cred_usage=None, store=None):
"""Acquire credentials."""
def add_cred(input_creds, desired_name, mech, cred_usage, init_lifetime=None, accept_lifetime=None, store=None):
"""Add credentials to existing set."""
def inquire_cred(creds, name=True, lifetime=True, cred_usage=True, mechs=True):
"""Inquire about credentials."""
def inquire_cred_by_mech(creds, mech, name=True, init_lifetime=True, accept_lifetime=True, usage=True):
"""Inquire about credentials for specific mechanism."""Usage Patterns
import gssapi
# Basic credential acquisition
creds = gssapi.Credentials()
# Service credential acquisition
service_name = gssapi.Name('service@hostname.example.com')
service_creds = gssapi.Credentials(
name=service_name,
usage='accept',
lifetime=7200
)
# Client credential acquisition with specific mechanism
client_creds = gssapi.Credentials(
usage='initiate',
mechs=[gssapi.MechType.kerberos]
)
# Check credential properties
if client_creds.lifetime < 300: # Less than 5 minutes
print("Warning: Credentials expire soon")
print(f"Available mechanisms: {client_creds.mechs}")Install with Tessl CLI
npx tessl i tessl/pypi-gssapi