tessl/pypi-gssapi
Python GSSAPI wrapper providing both low-level C-style and high-level Pythonic interfaces for Kerberos and other authentication mechanisms
—
Pending
extensions.mddocs/
Extensions and RFCs
Python GSSAPI supports numerous GSSAPI extensions and RFC specifications beyond the core RFC 2744 functionality. Extensions are dynamically loaded based on GSSAPI implementation support and provide additional capabilities for advanced authentication scenarios.
Capabilities
RFC 4178 - GSS-API Negotiation Mechanism
SPNEGO (Security Provider Negotiation Protocol) support for negotiating mechanisms between peers.
# Available if gssapi.raw.ext_rfc4178 is supported
from gssapi.raw.ext_rfc4178 import set_neg_mechs
def set_neg_mechs(creds, mechs):
"""
Set negotiable mechanisms for credentials.
Parameters:
- creds: Creds object
- mechs: iterable of OID, mechanisms to negotiate
Returns:
Creds: Updated credentials
"""Usage example:
import gssapi
try:
from gssapi.raw.ext_rfc4178 import set_neg_mechs
creds = gssapi.Credentials()
mechs = [gssapi.MechType.kerberos, gssapi.MechType.spnego]
updated_creds = set_neg_mechs(creds, mechs)
except ImportError:
print("RFC 4178 negotiation not supported")RFC 5587 - Extended GSS Mechanism Inquiry APIs
Enhanced mechanism discovery and attribute inquiry capabilities.
# Available if gssapi.raw.ext_rfc5587 is supported
from gssapi.raw.ext_rfc5587 import indicate_mechs_by_attrs, inquire_attrs_for_mech, display_mech_attr
def indicate_mechs_by_attrs(desired_mech_attrs=None, except_mech_attrs=None):
"""
Find mechanisms by attributes.
Parameters:
- desired_mech_attrs: set of OID, desired mechanism attributes
- except_mech_attrs: set of OID, attributes to exclude
Returns:
set: Matching mechanism OIDs
"""
def inquire_attrs_for_mech(mech):
"""
Get attributes supported by a mechanism.
Parameters:
- mech: OID, mechanism to query
Returns:
InquireAttrsResult: mech_attrs, known_mech_attrs
"""
def display_mech_attr(mech_attr):
"""
Get human-readable information about a mechanism attribute.
Parameters:
- mech_attr: OID, mechanism attribute
Returns:
DisplayAttrResult: name, short_desc, long_desc
"""Usage example:
import gssapi
try:
from gssapi.raw.ext_rfc5587 import inquire_attrs_for_mech, display_mech_attr
# Get attributes for Kerberos mechanism
attrs_result = inquire_attrs_for_mech(gssapi.MechType.kerberos)
for attr in attrs_result.mech_attrs:
attr_info = display_mech_attr(attr)
print(f"Attribute: {attr_info.name}")
print(f"Description: {attr_info.long_desc}")
except ImportError:
print("RFC 5587 mechanism inquiry not supported")RFC 5588 - GSS-API Extension for Storing Delegated Credentials
Store delegated credentials in credential stores.
# Available if gssapi.raw.ext_rfc5588 is supported
from gssapi.raw.ext_rfc5588 import store_cred
def store_cred(creds, usage='both', mech=None, overwrite_cred=True, default_cred=False, store=None):
"""
Store credentials in the credential store.
Parameters:
- creds: Creds object to store
- usage: str, 'initiate', 'accept', or 'both'
- mech: OID, specific mechanism (None for all)
- overwrite_cred: bool, whether to overwrite existing credentials
- default_cred: bool, whether to store as default credentials
- store: dict, credential store parameters
Returns:
StoreCredResult: mechs, usage
"""RFC 5801 - GSS-API SASL Extensions
SASL mechanism name mapping and inquiries.
# Available if gssapi.raw.ext_rfc5801 is supported
from gssapi.raw.ext_rfc5801 import inquire_saslname_for_mech
def inquire_saslname_for_mech(mech):
"""
Get SASL mechanism name for a GSSAPI mechanism.
Parameters:
- mech: OID, GSSAPI mechanism
Returns:
InquireSASLNameResult: sasl_mech_name, mech_name, mech_description
"""Usage example:
import gssapi
try:
from gssapi.raw.ext_rfc5801 import inquire_saslname_for_mech
sasl_info = inquire_saslname_for_mech(gssapi.MechType.kerberos)
print(f"SASL name: {sasl_info.sasl_mech_name}")
print(f"Mechanism name: {sasl_info.mech_name}")
print(f"Description: {sasl_info.mech_description}")
except ImportError:
print("RFC 5801 SASL extensions not supported")RFC 6680 - GSS-API Naming Extensions
Enhanced name handling with attributes and composite names.
# Available if gssapi.raw.ext_rfc6680 is supported
from gssapi.raw.ext_rfc6680 import display_name_ext, inquire_name, get_name_attribute, set_name_attribute, delete_name_attribute, export_name_composite
def display_name_ext(name):
"""
Display name with extended information.
Parameters:
- name: Name object
Returns:
DisplayNameResult: name, name_type
"""
def inquire_name(name):
"""
Inquire about name attributes and properties.
Parameters:
- name: Name object
Returns:
InquireNameResult: attrs, is_mech_name, mech
"""
def get_name_attribute(name, attr):
"""
Get values for a name attribute.
Parameters:
- name: Name object
- attr: str or bytes, attribute name
Returns:
GetNameAttributeResult: values, display_values, authenticated, complete
"""
def set_name_attribute(name, attr, values, complete=True):
"""
Set values for a name attribute.
Parameters:
- name: Name object
- attr: str or bytes, attribute name
- values: list of bytes, attribute values
- complete: bool, whether the attribute is complete
Returns:
Name: Updated name object
"""
def delete_name_attribute(name, attr):
"""
Delete a name attribute.
Parameters:
- name: Name object
- attr: str or bytes, attribute name to delete
Returns:
Name: Updated name object
"""
def export_name_composite(name):
"""
Export name in composite format.
Parameters:
- name: Name object
Returns:
bytes: Composite name token
"""Services4User (S4U) - Impersonation
Credential impersonation for service accounts.
# Available if gssapi.raw.ext_s4u is supported
from gssapi.raw.ext_s4u import acquire_cred_impersonate_name
def acquire_cred_impersonate_name(creds, target_name, lifetime=None, mechs=None, usage='initiate'):
"""
Acquire credentials by impersonating another principal.
Parameters:
- creds: Creds, impersonator credentials
- target_name: Name, principal to impersonate
- lifetime: int, desired credential lifetime
- mechs: iterable of OID, desired mechanisms
- usage: str, credential usage
Returns:
AcquireCredResult: creds, mechs, lifetime
"""Usage example:
import gssapi
try:
from gssapi.raw.ext_s4u import acquire_cred_impersonate_name
# Service credentials with impersonation rights
service_creds = gssapi.Credentials(
name=gssapi.Name('service@hostname.example.com'),
usage='initiate'
)
# Impersonate a user
user_name = gssapi.Name('user@REALM.EXAMPLE.COM')
impersonated_result = acquire_cred_impersonate_name(
creds=service_creds,
target_name=user_name,
usage='initiate'
)
impersonated_creds = impersonated_result.creds
except ImportError:
print("S4U impersonation not supported")Credential Store Extensions
Enhanced credential storage and retrieval operations.
# Available if gssapi.raw.ext_cred_store is supported
from gssapi.raw.ext_cred_store import store_cred_into, acquire_cred_from
def store_cred_into(creds, usage='both', mech=None, overwrite=True, default_cred=False, store=None):
"""
Store credentials into a specific credential store.
Parameters:
- creds: Creds object to store
- usage: str, credential usage to store
- mech: OID, specific mechanism
- overwrite: bool, overwrite existing credentials
- default_cred: bool, store as default credentials
- store: dict, credential store location
Returns:
StoreCredResult: mechs, usage
"""
def acquire_cred_from(name=None, lifetime=None, mechs=None, usage='both', store=None):
"""
Acquire credentials from a specific credential store.
Parameters:
- name: Name, principal name
- lifetime: int, desired lifetime
- mechs: iterable of OID, desired mechanisms
- usage: str, credential usage
- store: dict, credential store location
Returns:
AcquireCredResult: creds, mechs, lifetime
"""Password-Based Authentication
Authenticate using username and password.
# Available if gssapi.raw.ext_password is supported
from gssapi.raw.ext_password import acquire_cred_with_password
from gssapi.raw.ext_password_add import add_cred_with_password
def acquire_cred_with_password(name, password, lifetime=None, mechs=None, usage='both'):
"""
Acquire credentials using password authentication.
Parameters:
- name: Name, principal name
- password: str or bytes, password
- lifetime: int, desired credential lifetime
- mechs: iterable of OID, desired mechanisms
- usage: str, credential usage
Returns:
AcquireCredResult: creds, mechs, lifetime
"""
def add_cred_with_password(creds, name, password, mech=None, usage='both', init_lifetime=None, accept_lifetime=None):
"""
Add credentials using password authentication.
Parameters:
- creds: Creds, existing credential set
- name: Name, principal name
- password: str or bytes, password
- mech: OID, mechanism
- usage: str, credential usage
- init_lifetime: int, initiate lifetime
- accept_lifetime: int, accept lifetime
Returns:
AddCredResult: creds, mechs, init_lifetime, accept_lifetime
"""DCE and IOV Extensions
Input/Output Vector operations for scatter-gather message protection.
# Available if gssapi.raw.ext_dce is supported
from gssapi.raw.ext_dce import wrap_iov, unwrap_iov, wrap_iov_length, get_mic_iov, verify_mic_iov, get_mic_iov_length, IOV
class IOV:
"""Input/Output Vector for scatter-gather operations."""
def __init__(self, iov_type, data=None, length=None):
"""
Create IOV buffer.
Parameters:
- iov_type: IOVType, buffer type
- data: bytes, buffer data
- length: int, buffer length
"""
def wrap_iov(context, iov, encrypt=None):
"""
Wrap data using IOV interface.
Parameters:
- context: SecurityContext object
- iov: list of IOV objects
- encrypt: bool, whether to encrypt
Returns:
bool: Whether message was encrypted
"""
def unwrap_iov(context, iov):
"""
Unwrap data using IOV interface.
Parameters:
- context: SecurityContext object
- iov: list of IOV objects
Returns:
IOVUnwrapResult: encrypted, qop
"""DCE AEAD Extensions
Authenticated Encryption with Associated Data operations.
# Available if gssapi.raw.ext_dce_aead is supported
from gssapi.raw.ext_dce_aead import wrap_aead, unwrap_aead
def wrap_aead(context, message, associated_data=None):
"""
Wrap message using AEAD.
Parameters:
- context: SecurityContext object
- message: bytes, message to encrypt
- associated_data: bytes, additional authenticated data
Returns:
bytes: Wrapped message
"""
def unwrap_aead(context, message, associated_data=None):
"""
Unwrap AEAD-protected message.
Parameters:
- context: SecurityContext object
- message: bytes, wrapped message
- associated_data: bytes, additional authenticated data
Returns:
bytes: Unwrapped message
"""Kerberos-Specific Extensions
Kerberos 5 mechanism-specific functionality.
# Available if gssapi.raw.ext_krb5 is supported
from gssapi.raw.ext_krb5 import krb5_ccache_name, krb5_register_acceptor_identity
def krb5_ccache_name(name=None):
"""
Get or set Kerberos credential cache name.
Parameters:
- name: str, credential cache name (None to query current)
Returns:
str: Current or previous credential cache name
"""
def krb5_register_acceptor_identity(identity):
"""
Register acceptor identity for Kerberos.
Parameters:
- identity: str, keytab file path or identity
"""Global Grid Forum (GGF) Extensions
Grid computing authentication extensions.
# Available if gssapi.raw.ext_ggf is supported
from gssapi.raw.ext_ggf import inquire_sec_context_by_oid
def inquire_sec_context_by_oid(context, oid):
"""
Inquire about security context using OID.
Parameters:
- context: SecurityContext object
- oid: OID, information type to query
Returns:
bytes: Context information
"""Credential Import/Export
Import and export credentials as tokens.
# Available if gssapi.raw.ext_cred_imp_exp is supported
from gssapi.raw.ext_cred_imp_exp import import_cred, export_cred
def export_cred(creds):
"""
Export credentials to a token.
Parameters:
- creds: Creds object
Returns:
bytes: Exported credential token
"""
def import_cred(token):
"""
Import credentials from a token.
Parameters:
- token: bytes, exported credential token
Returns:
Creds: Imported credentials
"""Set Credential Options
Set mechanism-specific credential options.
# Available if gssapi.raw.ext_set_cred_opt is supported
from gssapi.raw.ext_set_cred_opt import set_cred_option
def set_cred_option(creds, option, value):
"""
Set a credential option.
Parameters:
- creds: Creds object
- option: OID, option to set
- value: bytes, option value
Returns:
Creds: Updated credentials
"""Extension Availability Check
Check which extensions are available in your GSSAPI implementation:
import gssapi._utils
# Check for specific extensions
extensions = [
'rfc4178', 'rfc5587', 'rfc5588', 'rfc5801', 'rfc6680',
's4u', 'cred_store', 'password', 'dce', 'dce_aead',
'krb5', 'ggf', 'cred_imp_exp', 'set_cred_opt'
]
available_extensions = []
for ext in extensions:
if gssapi._utils.import_gssapi_extension(ext) is not None:
available_extensions.append(ext)
print("Available extensions:", available_extensions)Complete Extension Usage Example
import gssapi
import gssapi._utils
def demonstrate_extensions():
"""Demonstrate various GSSAPI extensions."""
# Check S4U support
s4u_ext = gssapi._utils.import_gssapi_extension('s4u')
if s4u_ext:
print("S4U impersonation is supported")
# Perform impersonation
service_creds = gssapi.Credentials(
name=gssapi.Name('service@hostname.example.com')
)
impersonated_creds = gssapi.Credentials.impersonate(
name=service_creds.name,
target_name=gssapi.Name('user@REALM.EXAMPLE.COM')
)
# Check RFC 6680 naming extensions
rfc6680_ext = gssapi._utils.import_gssapi_extension('rfc6680')
if rfc6680_ext:
print("RFC 6680 naming extensions supported")
name = gssapi.Name('user@REALM.EXAMPLE.COM')
if hasattr(name, 'attributes'):
attrs = name.attributes
print(f"Name attributes: {attrs}")
# Check credential storage
cred_store_ext = gssapi._utils.import_gssapi_extension('cred_store')
if cred_store_ext:
print("Credential store extensions supported")
creds = gssapi.Credentials()
store_params = {'ccache': 'FILE:/tmp/custom_cache'}
creds.store(store=store_params)
if __name__ == "__main__":
demonstrate_extensions()Install with Tessl CLI
npx tessl i tessl/pypi-gssapi