Custom kinit python

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Custom kinit python

Yago Fernández Pinilla
Hello,

I would like to know if it is possible to implement a custom kinit in
Python, I know there are already implementations in C and Java but I would
like to have it in Python.

I have seen different libraries in Python that have different methods but
they don't have this functionality.


If there is none, where should I start to work?

Thanks in advance

Yago

--
Yago Fernández Pinilla
e-mail: [hidden email]
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Custom kinit python

Benjamin Kaduk-2
On Tue, 26 Aug 2014, Yago Fernández Pinilla wrote:

> Hello,
>
> I would like to know if it is possible to implement a custom kinit in
> Python, I know there are already implementations in C and Java but I would
> like to have it in Python.
>
> I have seen different libraries in Python that have different methods but
> they don't have this functionality.
>
>
> If there is none, where should I start to work?
I think what you should do depends on what your goal is.  'kinit' is just
a tool to obtain a kerberos ticket and put it in a credentials cache,
which may be on disk or in kernel memory or the memory of a helper
service.  It's not clear to me what benefit is gained from having this
tool be written in python, unless it is to be some sort of learning
exercise, so I feel that I am misunderstanding the question.

-Ben Kaduk
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Custom kinit python

Yago Fernández Pinilla
Hi,

The idea is that we wanted to integrate everything in our tool and not
depending on an external binary.

I was able to do the same thing that kinit and kdestroy using the krb5 API
http://web.mit.edu/kerberos/krb5-devel/doc/appdev/refs/api/index.html

The problem that i have know and what i have been working is:

I would like to "export" the ticket in same way to send it to the user and
the be able to import it again.

This functionality seems to be present using the gssapi module but i don't
know how to obtain the object "creds".


Thanks in advance

Yago


On Wed, Sep 3, 2014 at 11:59 PM, Benjamin Kaduk <[hidden email]> wrote:

> On Tue, 26 Aug 2014, Yago Fernández Pinilla wrote:
>
> > Hello,
> >
> > I would like to know if it is possible to implement a custom kinit in
> > Python, I know there are already implementations in C and Java but I
> would
> > like to have it in Python.
> >
> > I have seen different libraries in Python that have different methods but
> > they don't have this functionality.
> >
> >
> > If there is none, where should I start to work?
>
> I think what you should do depends on what your goal is.  'kinit' is just
> a tool to obtain a kerberos ticket and put it in a credentials cache,
> which may be on disk or in kernel memory or the memory of a helper
> service.  It's not clear to me what benefit is gained from having this
> tool be written in python, unless it is to be some sort of learning
> exercise, so I feel that I am misunderstanding the question.
>
> -Ben Kaduk




--
Yago Fernández Pinilla
e-mail: [hidden email]
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Custom kinit python

Peter Mogensen
In reply to this post by Benjamin Kaduk-2
On 2014-09-03 23:59, Benjamin Kaduk wrote:

> On Tue, 26 Aug 2014, Yago Fernández Pinilla wrote:
>
>> Hello,
>>
>> I would like to know if it is possible to implement a custom kinit in
>> Python, I know there are already implementations in C and Java but I would
>> like to have it in Python.
>>
>> I have seen different libraries in Python that have different methods but
>> they don't have this functionality.
>>
>>
>> If there is none, where should I start to work?
>
> I think what you should do depends on what your goal is.  'kinit' is just
> a tool to obtain a kerberos ticket and put it in a credentials cache,
> which may be on disk or in kernel memory or the memory of a helper
> service.  It's not clear to me what benefit is gained from having this
> tool be written in python, unless it is to be some sort of learning
> exercise, so I feel that I am misunderstanding the question.

There is some benefit to having cmd-line tools in an easily modifiable
scripting language. The standard kinit (and kvno) doesn't let you
control much about the actual protocol messages sent and where to send
the output. AFAIK kinit doesn't let you get the actual Ticket obtained
on stdout. So if you are experimenting with the protocol, a more
"lowlevel" client is nice.

I've written a "kinit/kvno"-like tool in "pure" Perl - partly as a
learning exercise for RFC396[12]. (Well, it's almost "pure" Perl, since
doing SHA/AES in Perl would be silly and doing the nfold bit-shift
operation in Perl leads to insanity).

Doing a Python version will require first to decide whether you want to
build the whole ASN.1/crypto handling protocol stuff in Python starting
from RFC 3961/3962/4120 or you want to only code the actual cmd-line
tool and use a python wrapper around libkrb5 (or some other Kerberos
library) to do the actual protocol stuff.

The Apple python-krb5 library is actually a GSS-API library for
Kerberos. But the Fedora project has a direct wrapper around libkrb5:
https://fedorahosted.org/python-krbV/
...And it's easily extensible if there's something you need it doesn't
provide.

/Peter

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Custom kinit python

Greg Hudson
On 09/04/2014 03:37 AM, Peter Mogensen wrote:
> Doing a Python version will require first to decide whether you want to
> build the whole ASN.1/crypto handling protocol stuff in Python starting
> from RFC 3961/3962/4120 or you want to only code the actual cmd-line
> tool and use a python wrapper around libkrb5 (or some other Kerberos
> library) to do the actual protocol stuff.

In terms of pure Python implementations, I'm aware of two partial
implementations:

* Marc Horowitz's pykrb5 at
https://github.com/mhorowitz/pykrb5.  This has kinit/klist/kdestroy/kvno
equivalents, but only supports DES and 3DES crypto.  pykrb5 uses pyasn1
and pyDes.

* My own pyk5 at https://github.com/greghudson/pyk5.  This isn't likely
evolve into anything user-facing as it's designed for eventual use in
the MIT krb5 test suite, and right now it doesn't have anything besides
RFC 3961 crypto and ASN.1 encoding.  But the crypto does have support
for modern enctypes.  pyk5 pyasn1 and PyCrypto.

Using bindings as Peter suggested is probably more practical right now,
depending on your needs.
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev