-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathkpass.py
43 lines (34 loc) · 1.78 KB
/
kpass.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
"""
Python extension for Kerberos 5 password verification.
This Python extension module provides a simple function called
kpass() to perform password verification using Kerberos 5. It is
intended for use by applications that cannot use the Kerberos
protocol natively, but need to authenticate users against the
Kerberos database. If it must be run on a system that receives a
username and password over the network, steps should be taken to
ensure that these are passed to that system in a cryptographically
secure manner.
kpass() attempts to obtain credentials for the given username and
password from the Kerberos AS, then obtain credentials for a local
service from the Kerberos TGS to verify the authenticity of the AS
response. The python 'None' type can be passed as the 3rd (service)
and 4th (host) arguments to use the default service name (host)
and the fully canonicalized primary hostname of the system that the
function is executed on. The fifth argument can also be 'None' to
use the system's default keytab file (usually FILE:/etc/krb5.keytab).
kpass() returns 1 if password verification is successful, 0 if the
username or password is incorrect and raises a custom exception of
KpassError if a system error is encountered.
kpass() relies on obtaining Kerberos realm and KDC information
from the invoking environment. Typically it will get this from
the system's Kerberos configuration file (krb5.conf) and/or DNS
records. One quick way to override the default environment is to
create a custom krb5.conf file and setting the pathname to this
file as the value of the KRB5_CONFIG environment variable.
"""
import _kpass
VERSION = "0.5"
KpassError = _kpass.KpassError
def kpass(*args):
"""kpass(username, password, service, host, kt_pathname) -> int"""
return _kpass.kpass(*args)