Custom kinit python

Peter Mogensen apm at
Thu Sep 4 03:37:03 EDT 2014

On 2014-09-03 23:59, Benjamin Kaduk wrote:
> On Tue, 26 Aug 2014, Yago Fernández Pinilla wrote:
>> Hello,
>> I would like to know if it is possible to implement a custom kinit in
>> Python, I know there are already implementations in C and Java but I would
>> like to have it in Python.
>> I have seen different libraries in Python that have different methods but
>> they don't have this functionality.
>> If there is none, where should I start to work?
> I think what you should do depends on what your goal is.  'kinit' is just
> a tool to obtain a kerberos ticket and put it in a credentials cache,
> which may be on disk or in kernel memory or the memory of a helper
> service.  It's not clear to me what benefit is gained from having this
> tool be written in python, unless it is to be some sort of learning
> exercise, so I feel that I am misunderstanding the question.

There is some benefit to having cmd-line tools in an easily modifiable 
scripting language. The standard kinit (and kvno) doesn't let you 
control much about the actual protocol messages sent and where to send 
the output. AFAIK kinit doesn't let you get the actual Ticket obtained 
on stdout. So if you are experimenting with the protocol, a more 
"lowlevel" client is nice.

I've written a "kinit/kvno"-like tool in "pure" Perl - partly as a 
learning exercise for RFC396[12]. (Well, it's almost "pure" Perl, since 
doing SHA/AES in Perl would be silly and doing the nfold bit-shift 
operation in Perl leads to insanity).

Doing a Python version will require first to decide whether you want to 
build the whole ASN.1/crypto handling protocol stuff in Python starting 
from RFC 3961/3962/4120 or you want to only code the actual cmd-line 
tool and use a python wrapper around libkrb5 (or some other Kerberos 
library) to do the actual protocol stuff.

The Apple python-krb5 library is actually a GSS-API library for 
Kerberos. But the Fedora project has a direct wrapper around libkrb5:
...And it's easily extensible if there's something you need it doesn't 


More information about the krbdev mailing list