kerberos客户端身份验证的sspi高级接口
winkerberos的Python项目详细描述
| Info: | See github for the latest source. |
|---|---|
| Author: | Bernie Hackett <bernie@mongodb.com> |
关于
windows上python的本机kerberos客户端实现。本模块 模拟pykerberos到的api 使用Microsoft的安全支持提供程序实现kerberos身份验证 接口(SSPI)。它支持Python2.6、2.7和3.3+。
安装
温克贝罗斯在Python Package Index (pypi)里面。使用pip安装:
python -m pip install winkerberos
WinkerBeros需要Windows 7/Windows Server 2008 R2或更高版本。
从源代码构建和安装
您必须为您的版本安装VC++的正确版本 Python:
- Python2.6-Microsoft Visual C++ Compiler for Python 2.7
- Python2.7-Microsoft Visual C++ Compiler for Python 2.7
- Python 3.3-Visual Studio 2010(64位专业版)
- Python 3.4-Visual Studio 2010(64位专业版)
- Python 3.5+-Visual Studio 2015(任何版本)
一旦安装了所需的编译器,请从 winkerberos源的根目录:
python setup.py install
示例
这是完整身份验证会话的简化示例 遵循RFC-4752第3.1节:
importwinkerberosaskerberosdefsend_response_and_receive_challenge(response):# Your server communication code here...passdefauthenticate_kerberos(service,user,channel_bindings=None):# Initialize the context object with a service principal.status,ctx=kerberos.authGSSClientInit(service)# GSSAPI is a "client goes first" SASL mechanism. Send the# first "response" to the server and recieve its first# challenge.ifchannel_bindingsisnotNone:status=kerberos.authGSSClientStep(ctx,"",channel_bindings=channel_bindings)else:status=kerberos.authGSSClientStep(ctx,"")response=kerberos.authGSSClientResponse(ctx)challenge=send_response_and_receive_challenge(response)# Keep processing challenges and sending responses until# authGSSClientStep reports AUTH_GSS_COMPLETE.whilestatus==kerberos.AUTH_GSS_CONTINUE:ifchannel_bindingsisnotNone:status=kerberos.authGSSClientStep(ctx,challenge,channel_bindings=channel_bindings)else:status=kerberos.authGSSClientStep(ctx,challenge)response=kerberos.authGSSClientResponse(ctx)or''challenge=send_response_and_receive_challenge(response)# Decrypt the server's last challengekerberos.authGSSClientUnwrap(ctx,challenge)data=kerberos.authGSSClientResponse(ctx)# Encrypt a response including the user principal to authorize.kerberos.authGSSClientWrap(ctx,data,user)response=kerberos.authGSSClientResponse(ctx)# Complete authentication.send_response_and_receive_challenge(response)
通道绑定可以在cryptography模块的帮助下生成。见 https://tools.ietf.org/html/rfc5929#section-4.1关于 哈希算法选择:
fromcryptographyimportx509fromcryptography.hazmat.backendsimportdefault_backendfromcryptography.hazmat.primitivesimporthashesdefchannel_bindings(ssl_socket):server_certificate=ssl_socket.getpeercert(True)cert=x509.load_der_x509_certificate(server_certificate,default_backend())hash_algorithm=cert.signature_hash_algorithmifhash_algorithm.namein('md5','sha1'):digest=hashes.Hash(hashes.SHA256(),default_backend())else:digest=hashes.Hash(hash_algorithm,default_backend())digest.update(server_certificate)application_data=b"tls-server-end-point:"+digest.finalize()returnkerberos.channelBindings(application_data=application_data)
在没有Sphinx的情况下查看API文档
使用python交互式shell中的帮助函数:
>>>importwinkerberos>>>help(winkerberos)
欢迎加入QQ群-->: 979659372
