Kerberos authentication w/ Python on Windows
donn at u.washington.edu
Tue Oct 19 18:43:18 CEST 2004
In article <cl27jv$olr$1 at eeyore.INS.cwru.edu>,
Brian Beck <exogen at gmail.com> wrote:
> After a bit of searching I haven't been able to find a definite resource
> for Kerberos authentication from Python. Any help would be appreciated.
The only thing I know out there -
Written by Fred Drake and Roger Masse for CNRI, it's not very
recent but that's probably the least of your problems. It does
have some preprocessor conditionals as though they were building
it on Windows at some point.
> Here's what I've found...
>  The best I could find in Zope appears to just get its result from
> the UNIX/Linux krb5 command, which does all the heavy lifting. This is
> not available on Windows.
That krb5 command does not sound like anything I have ever seen.
It isn't "available" on UNIX either, it's just something that
you have to get and probably build (I guess - I've never heard of
external Kerberos authentication, sounds like a bad idea to me.)
>  http://pygss.sourceforge.net/
> I can't really tell if this is what I'm looking for. It does
> provide a way to interface with MIT's krb5, but it must be obtained
> separately and compiled...
Well, naturally. I don't know this software, but by the name
evidently it's a GSSAPI interface. Conventional wisdom has it
that applications should use GSSAPI for Kerberos 5 authentication.
It actually doesn't have complete, end-to-end coverage for the
problem area, so commonly you end up needing to call the
underlying krb5 library anyway for some miscellaneous functions,
and honestly it's a verbose, awkward mess to program to, but
you get a more reliable application out of it if you're doing
things like data encryption on top of the minimal authentication
function. And I understand that at some level it may be compatible
with a protocol that Microsoft Windows' native Kerberos 5
I don't know much about any special issues that you might be
facing on Microsoft Windows, but all this is fairly simple
on UNIX and I know MS made Kerberos5 integral to Windows
authentication, so what could go wrong?
Donn Cave, donn at u.washington.edu
More information about the Python-list