Commit c129f6a2 authored by Dr. Torge Szczepanek's avatar Dr. Torge Szczepanek Committed by Dr. Torge Szczepanek

Imported Upstream version 1.1.5

parent ef7f26cf
recursive-include src *.h
recursive-include pysrc *
recursive-include bin *
include LICENSE
Metadata-Version: 1.1
Name: pykerberos
Version: 1.1.5
Summary: High-level interface to Kerberos
Home-page: UNKNOWN
Author: UNKNOWN
Author-email: UNKNOWN
License: ASL 2.0
Description:
This Python package is a high-level wrapper for Kerberos (GSSAPI) operations.
The goal is to avoid having to build a module that wraps the entire Kerberos.framework,
and instead offer a limited set of functions that do what is needed for client/server
Kerberos authentication based on <http://www.ietf.org/rfc/rfc4559.txt>.
Platform: UNKNOWN
Classifier: License :: OSI Approved :: Apache Software License
Classifier: Programming Language :: Python :: 2
Classifier: Programming Language :: Python :: 3
Classifier: Topic :: Software Development :: Libraries :: Python Modules
Classifier: Topic :: System :: Systems Administration :: Authentication/Directory
[libdefaults]
default_realm = EXAMPLE.COM
dns_fallback = NO
default_tkt_enctypes = des-cbc-crc
default_tgs_enctypes = des-cbc-crc
[realms]
EXAMPLE.COM = {
kdc = kdc.example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
Metadata-Version: 1.1
Name: pykerberos
Version: 1.1.5
Summary: High-level interface to Kerberos
Home-page: UNKNOWN
Author: UNKNOWN
Author-email: UNKNOWN
License: ASL 2.0
Description:
This Python package is a high-level wrapper for Kerberos (GSSAPI) operations.
The goal is to avoid having to build a module that wraps the entire Kerberos.framework,
and instead offer a limited set of functions that do what is needed for client/server
Kerberos authentication based on <http://www.ietf.org/rfc/rfc4559.txt>.
Platform: UNKNOWN
Classifier: License :: OSI Approved :: Apache Software License
Classifier: Programming Language :: Python :: 2
Classifier: Programming Language :: Python :: 3
Classifier: Topic :: Software Development :: Libraries :: Python Modules
Classifier: Topic :: System :: Systems Administration :: Authentication/Directory
LICENSE
MANIFEST.in
README.txt
setup.py
bin/ftp-gss
pykerberos.egg-info/PKG-INFO
pykerberos.egg-info/SOURCES.txt
pykerberos.egg-info/dependency_links.txt
pykerberos.egg-info/top_level.txt
pysrc/kerberos.py
src/base64.c
src/base64.h
src/kerberos.c
src/kerberosbasic.c
src/kerberosbasic.h
src/kerberosgss.c
src/kerberosgss.h
src/kerberospw.c
src/kerberospw.h
\ No newline at end of file
......@@ -168,13 +168,12 @@ def authGSSClientUnwrap(context, challenge):
@return: a result code (see above)
"""
def authGSSClientWrap(context, data, user=None, protect=0):
def authGSSClientWrap(context, data, user=None):
"""
Perform the client side GSSAPI wrap step.
@param data:the result of the authGSSClientResponse after the authGSSClientUnwrap
@param user: the user to authorize
@param protect: if 0 then just provide integrity protection, if 1, then provide confidentiality as well.
@return: a result code (see above)
"""
......
[egg_info]
tag_build =
tag_date = 0
tag_svn_revision = 0
##
# Copyright (c) 2006-2013 Apple Inc. All rights reserved.
# Copyright (c) 2006-2008 Apple Inc. All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
......@@ -14,9 +14,9 @@
# limitations under the License.
##
from distutils.core import setup, Extension
from setuptools import setup, Extension
import subprocess
import sys
import commands
long_description = """
This Python package is a high-level wrapper for Kerberos (GSSAPI) operations.
......@@ -26,22 +26,48 @@ Kerberos authentication based on <http://www.ietf.org/rfc/rfc4559.txt>.
"""
# Backport from Python 2.7 in case we're in 2.6.
def check_output(*popenargs, **kwargs):
process = subprocess.Popen(stdout=subprocess.PIPE, *popenargs, **kwargs)
output, unused_err = process.communicate()
retcode = process.poll()
if retcode:
cmd = kwargs.get("args")
if cmd is None:
cmd = popenargs[0]
raise subprocess.CalledProcessError(retcode, cmd, output=output)
return output
extra_link_args = check_output(
["krb5-config", "--libs", "gssapi"],
universal_newlines=True
).split()
extra_compile_args = check_output(
["krb5-config", "--cflags", "gssapi"],
universal_newlines=True
).split()
setup (
name = "kerberos",
version = "1.1.1",
description = "Kerberos high-level interface",
name = "pykerberos",
version = "1.1.5",
description = "High-level interface to Kerberos",
long_description=long_description,
license="ASL 2.0",
classifiers = [
"License :: OSI Approved :: Apache Software License",
"Programming Language :: Python :: 2",
"Programming Language :: Python :: 3",
"Topic :: Software Development :: Libraries :: Python Modules",
"Topic :: System :: Systems Administration :: Authentication/Directory"
],
ext_modules = [
Extension(
"kerberos",
extra_link_args = commands.getoutput("krb5-config --libs gssapi").split(),
extra_compile_args = commands.getoutput("krb5-config --cflags gssapi").split(),
extra_link_args = extra_link_args,
extra_compile_args = extra_compile_args,
sources = [
"src/kerberos.c",
"src/kerberosbasic.c",
......
This diff is collapsed.
......@@ -302,14 +302,14 @@ int authenticate_gss_client_unwrap(gss_client_state *state, const char *challeng
gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER;
gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER;
int ret = AUTH_GSS_CONTINUE;
int conf = 0;
int conf = 0;
// Always clear out the old response
if (state->response != NULL)
{
free(state->response);
state->response = NULL;
state->responseConf = 0;
state->responseConf = 0;
}
// If there is a challenge (data from the server) we need to give it to GSS
......@@ -341,7 +341,7 @@ int authenticate_gss_client_unwrap(gss_client_state *state, const char *challeng
if (output_token.length)
{
state->response = base64_encode((const unsigned char *)output_token.value, output_token.length);
state->responseConf = conf;
state->responseConf = conf;
maj_stat = gss_release_buffer(&min_stat, &output_token);
}
end:
......
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
/**
* Copyright (c) 2006-2013 Apple Inc. All rights reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
**/
#include "kerberosgss.h"
#include "stdio.h"
int main (int argc, char * const argv[]) {
int code = 0;
char* service = 0L;
gss_server_state state;
service = server_principal_details("http", "caldav.local");
//printf("Got service principal: %s\n", result);
//code = authenticate_user_krb5pwd("x", "x", "http/caldav.corp.apple.com@CALDAV.CORP.APPLE.COM", "CALDAV.CORP.APPLE.COM");
code = authenticate_gss_server_init("", &state);
code = authenticate_gss_server_clean(&state);
return 0;
}
#!/usr/bin/env python
##
# Copyright (c) 2006-2013 Apple Inc. All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
##
import kerberos
import getopt
import sys
import httplib
import socket
import ssl
"""
Examples:
sudo ./test.py -s HTTP@example.com service
sudo ./test.py -u user01 -p user01 -s HTTP@example.com -r EXAMPLE.COM basic
sudo ./test.py -s HTTP@example.com -r EXAMPLE.COM gssapi
./test.py -s HTTP@example.com -h calendar.example.com -p 8008 server
For the gssapi and server tests you will need to kinit a principal on the server first.
"""
def main():
# Extract arguments
user = ""
pswd = ""
service = "HTTP@EXAMPLE.COM"
host = "host.example.com"
realm ="HOST.EXAMPLE.COM"
port = 8008
use_ssl = False
allowedActions = ("service", "basic", "gssapi", "server",)
options, args = getopt.getopt(sys.argv[1:], "u:p:s:h:i:r:x")
for option, value in options:
if option == "-u":
user = value
elif option == "-p":
pswd = value
elif option == "-s":
service = value
elif option == "-h":
host = value
elif option == "-i":
port = value
elif option == "-r":
realm = value
elif option == "-x":
use_ssl = True
actions = set()
for arg in args:
if arg in allowedActions:
actions.add(arg)
else:
print "Action not allowed: %s" % (arg,)
sys.exit(1)
# Get service principal
if "service" in actions:
print "\n*** Running Service Principal test"
s, h = service.split("@")
testServicePrincipal(s, h);
# GSS Basic test
if "basic" in actions:
if (len(user) != 0) and (len(pswd) != 0):
print "\n*** Running basic test"
testCheckpassword(user, pswd, service, realm)
else:
print "\n*** Skipping basic test: no user or password specified"
# Full GSSAPI test
if "gssapi" in actions:
print "\n*** Running GSSAPI test"
testGSSAPI(service)
if "server" in actions:
print "\n*** Running HTTP test"
testHTTP(host, port, use_ssl, service)
print "\n*** Done\n"
def testServicePrincipal(service, hostname):
try:
result = kerberos.getServerPrincipalDetails(service, hostname)
except kerberos.KrbError, e:
print "Kerberos service principal for %s/%s failed: %s" % (service, hostname, e[0])
else:
print "Kerberos service principal for %s/%s succeeded: %s" % (service, hostname, result)
def testCheckpassword(user, pswd, service, realm):
try:
kerberos.checkPassword(user, pswd, service, realm)
except kerberos.BasicAuthError, e:
print "Kerberos authentication for %s failed: %s" % (user, e[0])
else:
print "Kerberos authentication for %s succeeded" % user
def testGSSAPI(service):
def statusText(r):
if r == 1:
return "Complete"
elif r == 0:
return "Continue"
else:
return "Error"
rc, vc = kerberos.authGSSClientInit(service);
print "Status for authGSSClientInit = %s" % statusText(rc);
if rc != 1:
return
rs, vs = kerberos.authGSSServerInit(service);
print "Status for authGSSServerInit = %s" % statusText(rs);
if rs != 1:
return
rc = kerberos.authGSSClientStep(vc, "");
print "Status for authGSSClientStep = %s" % statusText(rc);
if rc != 0:
return
rs = kerberos.authGSSServerStep(vs, kerberos.authGSSClientResponse(vc));
print "Status for authGSSServerStep = %s" % statusText(rs);
if rs == -1:
return
rc = kerberos.authGSSClientStep(vc, kerberos.authGSSServerResponse(vs));
print "Status for authGSSClientStep = %s" % statusText(rc);
if rc == -1:
return
print "Server user name: %s" % kerberos.authGSSServerUserName(vs);
print "Server target name: %s" % kerberos.authGSSServerTargetName(vs);
print "Client user name: %s" % kerberos.authGSSClientUserName(vc);
rc = kerberos.authGSSClientClean(vc);
print "Status for authGSSClientClean = %s" % statusText(rc);
rs = kerberos.authGSSServerClean(vs);
print "Status for authGSSServerClean = %s" % statusText(rs);
def testHTTP(host, port, use_ssl, service):
class HTTPSConnection_SSLv3(httplib.HTTPSConnection):
"This class allows communication via SSL."
def connect(self):
"Connect to a host on a given (SSL) port."
sock = socket.create_connection((self.host, self.port), self.timeout)
self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file, ssl_version=ssl.PROTOCOL_SSLv3)
def sendRequest(host, port, ssl, method, uri, headers):
response = None
if use_ssl:
http = HTTPSConnection_SSLv3(host, port)
else:
http = httplib.HTTPConnection(host, port)
try:
http.request(method, uri, "", headers)
response = http.getresponse()
finally:
http.close()
return response
# Initial request without auth header
uri = "/principals/"
response = sendRequest(host, port, use_ssl, "OPTIONS", uri, {})
if response is None:
print "Initial HTTP request to server failed"
return
if response.status != 401:
print "Initial HTTP request did not result in a 401 response"
return
hdrs = response.msg.getheaders("www-authenticate")
if (hdrs is None) or (len(hdrs) == 0):
print "No www-authenticate header in initial HTTP response."
for hdr in hdrs:
hdr = hdr.strip()
splits = hdr.split(' ', 1)
if (len(splits) != 1) or (splits[0].lower() != "negotiate"):
continue
else:
break
else:
print "No www-authenticate header with negotiate in initial HTTP response."
return
try:
rc, vc = kerberos.authGSSClientInit(service=service);
except kerberos.GSSError, e:
print "Could not initialize GSSAPI: %s/%s" % (e[0][0], e[1][0])
return
try:
kerberos.authGSSClientStep(vc, "");
except kerberos.GSSError, e:
print "Could not do GSSAPI step with continue: %s/%s" % (e[0][0], e[1][0])
return
hdrs = {}
hdrs["Authorization"] = "negotiate %s" % kerberos.authGSSClientResponse(vc)
# Second request with auth header
response = sendRequest(host, port, use_ssl, "OPTIONS", uri, hdrs)
if response is None:
print "Second HTTP request to server failed"
return
if response.status/100 != 2:
print "Second HTTP request did not result in a 2xx response: %d" % (response.status,)
return
hdrs = response.msg.getheaders("www-authenticate")
if (hdrs is None) or (len(hdrs) == 0):
print "No www-authenticate header in second HTTP response."
return
for hdr in hdrs:
hdr = hdr.strip()
splits = hdr.split(' ', 1)
if (len(splits) != 2) or (splits[0].lower() != "negotiate"):
continue
else:
break
else:
print "No www-authenticate header with negotiate in second HTTP response."
return
try:
kerberos.authGSSClientStep(vc, splits[1])
except kerberos.GSSError, e:
print "Could not verify server www-authenticate header in second HTTP response: %s/%s" % (e[0][0], e[1][0])
return
try:
rc = kerberos.authGSSClientClean(vc);
except kerberos.GSSError, e:
print "Could not clean-up GSSAPI: %s/%s" % (e[0][0], e[1][0])
return
print "Authenticated successfully"
return
if __name__=='__main__':
main()
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment