Custom kinit python
apm at one.com
Thu Sep 4 03:37:03 EDT 2014
On 2014-09-03 23:59, Benjamin Kaduk wrote:
> On Tue, 26 Aug 2014, Yago Fernández Pinilla wrote:
>> I would like to know if it is possible to implement a custom kinit in
>> Python, I know there are already implementations in C and Java but I would
>> like to have it in Python.
>> I have seen different libraries in Python that have different methods but
>> they don't have this functionality.
>> If there is none, where should I start to work?
> I think what you should do depends on what your goal is. 'kinit' is just
> a tool to obtain a kerberos ticket and put it in a credentials cache,
> which may be on disk or in kernel memory or the memory of a helper
> service. It's not clear to me what benefit is gained from having this
> tool be written in python, unless it is to be some sort of learning
> exercise, so I feel that I am misunderstanding the question.
There is some benefit to having cmd-line tools in an easily modifiable
scripting language. The standard kinit (and kvno) doesn't let you
control much about the actual protocol messages sent and where to send
the output. AFAIK kinit doesn't let you get the actual Ticket obtained
on stdout. So if you are experimenting with the protocol, a more
"lowlevel" client is nice.
I've written a "kinit/kvno"-like tool in "pure" Perl - partly as a
learning exercise for RFC396. (Well, it's almost "pure" Perl, since
doing SHA/AES in Perl would be silly and doing the nfold bit-shift
operation in Perl leads to insanity).
Doing a Python version will require first to decide whether you want to
build the whole ASN.1/crypto handling protocol stuff in Python starting
from RFC 3961/3962/4120 or you want to only code the actual cmd-line
tool and use a python wrapper around libkrb5 (or some other Kerberos
library) to do the actual protocol stuff.
The Apple python-krb5 library is actually a GSS-API library for
Kerberos. But the Fedora project has a direct wrapper around libkrb5:
...And it's easily extensible if there's something you need it doesn't
More information about the krbdev