Seems to be documented only in the header files.

We are no longer passing tests on Travis despite passing them locally on Debian Jessie and Gentoo. For example see this cosmetic change.

When using explicitly set name type, it doesn't segfault, but crashes nevertheless.

Reproducer:

python -c 'import gssapi as g;g.Name("[email protected]",g.NameType.kerberos_principal).display_as(g.NameType.kerberos_principal)'

Stacktrace:

Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/usr/lib64/python2.7/site-packages/gssapi/names.py", line 146, in display_as
    _utils.get_encoding())
AttributeError: 'module' object has no attribute 'get_encoding'

When performing a negociation step such as shown in the code proposed in the documentation, it is not specified what size the client and the service should expect for an incoming token.

We want to graft greet_client onto the repo(s) we're using for later versions of Kerberos. In theory, since there has been no change to the greet_client code since before the 1.10 release, it is not a problem to only test it there and we don't need to worry about 1.12 and 1.10.

This was originally blocking #54 though it has been decided to continue without explicit greet_client testing in Travis.

We should raise NotImplementedError instead of AttributeError in the high-level API if an extension is not present.

http://k5wiki.kerberos.org/wiki/Projects/GSSAPI_DCE

http://k5wiki.kerberos.org/wiki/Projects/GSS_IOV_MIC_API

Hi Guys,

First of all, thanks for working on this API. By far the most usable solution i've found on the web so far. And the docs are pretty good too! This is not a bug, I'm just looking for help implementing something using your wrapper.

I'm having some trouble with the acquire_cred_from() method. Which I see is an extension, but i'm wondering if you can help me. I've done a kinit as a user, and i'm hoping to use this method to acquire the cred and forward it to a remote host. Am I understanding this function correctly?

In your documentation it says that the cred store needs to be a dict. Do you know what information needs to be in the dict? I've tried the following...

{'KEYRING': 'persistent'}
{'KEYRING': '2757'}
{'KEYRING': 'persistent:2757'}
{'persistent': '2757'}

I have one other question, which is about the acquire_cred_with_password() function. It seems that when I use that function to acquire credentials, my password is stored in plain text in the credentials object. Is this expected behaviour?

credentialObject = gssapi.raw.acquire_cred_with_password(username, password)
mycred = credentialObject[0]
print gssapi.raw.export_cred(mycred)

The output looks something like the following:

*▒H▒▒▒["K5C1",[1,["[email protected]",null,null],null,false,false,null,null,"KEYRING:persistent:2757:2757","FILE:/var/kerberos/krb5/user/2757/client.keytab",true,1450679489,0,null,"<PASSWORD>"]]   

I appreciate these extensions may not be your responsibility but I've hunted everywhere on the web for help and had no luck... So any help you can give me with this would be really appreciated.

By the way this is all done in python 2.7.5.

Cheers,

Morgan

RFC 6680: Generic Security Service Application Programming Interface (GSS-API) Naming Extensions

https://tools.ietf.org/html/rfc6680

When determinig whether given credentials are valid, I currently need to inquire them and catch an exception. Like this:

try:
    cred.lifetime
    # valid
except ExpiredCredentialsError:
    # invalid

It would be nice if the Credentials object itself had a valid property that would provide this information.

MIT krb5 refuses to inquire about partially established contexts, meaning SecurityContext.complete will fail unless it would return True. This hasn't been an issue so far, since MIT krb5 negotiation seems to generally complete in one round trip. However, it could be an issue in the future.

The demo is failing on the constant gssapi.C_NT_HOSTBASED_SERVICE in CentOS 6.

• Python 2.7.9
• OSX 10.10.5

import gssapi

# Create a Name identifying the target service
service_name = gssapi.Name('HTTP@<myserver>', gssapi.C_NT_HOSTBASED_SERVICE)
# Create an InitContext targeting the demo service
ctx = gssapi.InitContext(service_name)

# Loop sending tokens to, and receiving tokens from, the server
# until the context is established
in_token = None
while not ctx.established:
    out_token = ctx.step(in_token)
    if out_token:
        send_to_server(out_token)
    if ctx.established:
        break
    in_token = receive_from_server()
    if not in_token:
        raise Exception("No response from server.")

print("Successfully authenticated.")

Output

Traceback (most recent call last):
  File "foo.py", line 1, in <module>
    import gssapi
  File "/Users/rgil/kerb/gssapi.py", line 4, in <module>
AttributeError: 'module' object has no attribute 'Name'

building 'gssapi.raw.ext_password_add' extension
x86_64-pc-linux-gnu-gcc -pthread -fPIC -I/usr/include/python3.4 -c gssapi/raw/ext_password_add.c -o build/temp.linux-x86_64-3.4/gssapi/raw/ext_password_add.o -DHAS_GSSAPI_EXT_H
x86_64-pc-linux-gnu-gcc: error: gssapi/raw/ext_password_add.c: No such file or directory
x86_64-pc-linux-gnu-gcc: fatal error: no input files
compilation terminated.
In distributed package, building from C files...
error: command 'x86_64-pc-linux-gnu-gcc' failed with exit status 1

The readme does not reflect the current state of the project, and should be updated

According to 2744, the input_cred_handle parameter to add_cred_impresonate_name can be GSS_C_NO_CREDENTIAL (i.e., 0). The current logic forces input_cred to be not None, which goes against this.

This needs to be done before we start adding more features in again.

We should be able to compile on OS X without having to manually set any environment variables.

We'll need to support python3.5 before it's required in distros.

Tracker for Debian

It may be good to import channel bindings with the high level API, as currently they are not.

RFC 4178 contains two methods for use with SPENGO:

• gss_set_neg_mechs
• gss_get_neg_mechs (not implemented in MIT krb5)

These are useful to constrain the mechanisms that SPENGO can use

We can either push docs to pythonhosted.org or readthedocs.org (both common Python docs hosting sites).

Currently, SecurityContext#delegated_creds is just a normal instance attribute of SecurityContext, which means that it can be accidentally overwritten, and it does not show up in the documentation. This should be fixed.

gssapi/raw/misc.pyx:291 - error handling incorrectly sets encoding to language name instead of encoding name (selecting the first element of tuple instead of second) when LC_MESSAGES is set, causing LookupError to be raised, hiding the original exception

The current documentation is a little sparse in terms of things like introductions and examples. It should have these. Also, a bit of styling work couldn't hurt either (e.g. on the arguments tables).

These extensions are useful as a stopgap for applications looking to move from bindings to libkrb5 to our bindings to GSSAPI, especially gss_krb5_ccache_name().

The demo is failing on the constant gssapi.C_NT_HOSTBASED_SERVICE in CentOS 6.

• krb5-libs-1.10.3-37.el6_6.x86_64
• Python 2.6.6

import gssapi

# Create a Name identifying the target service
service_name = gssapi.Name('HTTP@<myserver>', gssapi.C_NT_HOSTBASED_SERVICE)
# Create an InitContext targeting the demo service
ctx = gssapi.InitContext(service_name)

# Loop sending tokens to, and receiving tokens from, the server
# until the context is established
in_token = None
while not ctx.established:
    out_token = ctx.step(in_token)
    if out_token:
        send_to_server(out_token)
    if ctx.established:
        break
    in_token = receive_from_server()
    if not in_token:
        raise Exception("No response from server.")

print("Successfully authenticated.")

Output

Traceback (most recent call last):
  File "foo.py", line 4, in <module>
    service_name = gssapi.Name('[email protected]', gssapi.C_NT_HOSTBASED_SERVICE)
AttributeError: 'module' object has no attribute 'C_NT_HOSTBASED_SERVICE'

Reproducer:
python -c 'import gssapi as g;n=g.Name("x");n.display_as(g.MechType.mro)'

Stacktrace:
Traceback (most recent call last):
File "", line 1, in
File "/usr/lib64/python2.7/site-packages/gssapi/names.py", line 145, in display_as
return rname_rfc6680.display_name_ext(self, name_type).encode(
TypeError: Argument 'name_type' has incorrect type (expected gssapi.raw.oids.OID, got builtin_function_or_method)

Running Fedora Rawhide with python-gssapi-1.1.2-1.fc24.x86_64
#77 seems related

The high-level API has support for the import-export extension, but there's no low-level support for it.

http://k5wiki.kerberos.org/wiki/Projects/Export_import_cred

We may wish to consider supporting Windows at some point

Currently, python-gssapi needs python-six and python-decorator available to work. We need to actually specify this.

The low-level API is missing a wrapper for gss_add_cred. This is a problem, since the functionality is exposed to the high-level API.

I'm hopefully using the correct type this time but still getting segfault. Also seems to happen with other name types.
Reproducer:
python -c 'import gssapi as g;n=g.Name("x");n.display_as(g.NameType.kerberos_principal)'

Stack:
#0 0x00007fffef31a46f in gss_display_name_ext () from /lib64/libgssapi_krb5.so.2
#1 0x00007fffeb29416d in __pyx_pw_6gssapi_3raw_11ext_rfc6680_1display_name_ext ()

from /usr/lib64/python2.7/site-packages/gssapi/raw/ext_rfc6680.so
#2 0x00007ffff7af28be in PyEval_EvalFrameEx () from /lib64/libpython2.7.so.1.0
#3 0x00007ffff7af2666 in PyEval_EvalFrameEx () from /lib64/libpython2.7.so.1.0
#4 0x00007ffff7af36b4 in PyEval_EvalCodeEx () from /lib64/libpython2.7.so.1.0
#5 0x00007ffff7af37d9 in PyEval_EvalCode () from /lib64/libpython2.7.so.1.0
#6 0x00007ffff7b0cbdf in run_mod () from /lib64/libpython2.7.so.1.0
#7 0x00007ffff7b0da54 in PyRun_StringFlags () from /lib64/libpython2.7.so.1.0
#8 0x00007ffff7b0f36b in PyRun_SimpleStringFlags () from /lib64/libpython2.7.so.1.0
#9 0x00007ffff7b20b80 in Py_Main () from /lib64/libpython2.7.so.1.0
#10 0x00007ffff6d3f630 in __libc_start_main () from /lib64/libc.so.6
#11 0x0000555555554839 in _start ()

Version info:
Running freshly installed Fedora Rawhide.
python-gssapi-1.1.2-1.fc24.x86_64
krb5-libs-1.13.2-6.fc23.x86_64

currently, Credentials.acquire supports the store argument, but Credentials.add does not.

This should be remedied.

A couple of methods recently got changed so that they can accept None for certain arguments that were previously marked not None (e.g. acquire_cred). These methods should have those arguments have default values of None so that the methods don't have to be called like acquire_cred(None).

The following two methods seem to be missing from the low-level API:

• inquire_names_for_mech
• inquire_mechs_for_name

(both are in RFC 2744)

Both the low level and the high level API unconditionally try at any step of the context extablishment (on the acceptor side) to return delegated credentials and create the appropriate classes.

Delegated credentials are returned only if the context establishment return GSS_S_COMPLETE and are undefined in any other step.

In the high level API care need to be taken so that if the lower level returns None the delegated_creds should be set straight to None as well, as calling Credentials(None) will istead try to fetch the default credentials for the process, and that is an error.

Currently, we use a vendored k5test. I've extracted k5test (https://github.com/pythongssapi/k5test) and placed it on PyPI, so it should be fine to switch to using that and remove our vendored version.

We should add the specific errors that a method can throw to the documentation (since the RFC documents this). If supplementary errors can be thrown, just use document the SupplementaryError class.

• low-level API documented
• high-level API documented

The following "public" files are missing documentation

• creds.py
• names.py
• sec_contexts.py
• exceptions.py

The following "private" files are missing documentation

• _utils.py

There are four related methods that are part of the Solaris extensions:

• gss_localname
• gss_userok
• gss_pname_to_uid
• gss_authorize_localname

(we should probably also have, optionally, GSS_C_ATTR_LOCAL_LOGIN_USER as well)

The enum34 requirement fails to build properly when running pip install gssapi under python 3.5.
As the enum34 package is unnecessary for python3.5, would it be possible to publish a new release containing the fix in d4b5c71?

Collecting enum34 (from gssapi==1.1.3->-r requirements.txt (line 14))
Downloading enum34-1.0.4.tar.gz
Complete output from command python setup.py egg_info:
Traceback (most recent call last):
File "/tmp/pip-build-sfiuv82x/enum34/enum/init.py", line 371, in getattr
return cls.member_map[name]
KeyError: '_convert'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "<string>", line 3, in <module>
  File "/home/travis/virtualenv/python3.5.0/lib/python3.5/site-packages/setuptools/__init__.py", line 11, in <module>
    from setuptools.extension import Extension
  File "/home/travis/virtualenv/python3.5.0/lib/python3.5/site-packages/setuptools/extension.py", line 8, in <module>
    from .dist import _get_unpatched
  File "/home/travis/virtualenv/python3.5.0/lib/python3.5/site-packages/setuptools/dist.py", line 16, in <module>
    from setuptools.depends import Require
  File "/home/travis/virtualenv/python3.5.0/lib/python3.5/site-packages/setuptools/depends.py", line 6, in <module>
    from setuptools import compat
  File "/home/travis/virtualenv/python3.5.0/lib/python3.5/site-packages/setuptools/compat.py", line 45, in <module>
    import http.client as httplib
  File "/opt/python/3.5.0/lib/python3.5/http/client.py", line 71, in <module>
    import email.parser
  File "/opt/python/3.5.0/lib/python3.5/email/parser.py", line 12, in <module>
    from email.feedparser import FeedParser, BytesFeedParser
  File "/opt/python/3.5.0/lib/python3.5/email/feedparser.py", line 27, in <module>
    from email import message
  File "/opt/python/3.5.0/lib/python3.5/email/message.py", line 16, in <module>
    from email import utils
  File "/opt/python/3.5.0/lib/python3.5/email/utils.py", line 29, in <module>
    import socket
  File "/opt/python/3.5.0/lib/python3.5/socket.py", line 73, in <module>
    IntEnum._convert(
  File "/tmp/pip-build-sfiuv82x/enum34/enum/__init__.py", line 373, in __getattr__
    raise AttributeError(name)
AttributeError: _convert

We should have Travis CI set up to automatically test PR and commits.

Obviously, these are not good to have.

We should support mutating the current credentials object with add_cred, which is possible if NULL is passed as the output cred object in the C API. We should follow up with a change to the high-level API

In a fashion similar to #29, set more arguments that can be None (or that have a reasonable "default" value) to that value. It was pointed out in #35 that this will require breaking API, so this is slated for 2.0.0.

Further investigation into how nice/nasty this makes the codebase pending.

So, I went and compared the gssapi.h and gssapi_ext.h files with Python-GSSAPI to look for any extensions and/or additional RFCs that we missed.

Extensions (as indicated by being in gssapi_ext.h, for the most part)

Solaris

• buffer GSS_C_ATTR_LOCAL_LOGIN_USER
• gss_localname ( #49 )
• gss_pname_to_uid ( #49 )
• gss_userok ( #49 )
• gss_authorize_localname ( #49 )
• gss_acquire_cred_with_password ( #5 )
• gss_add_cred_with_password ( #5 )

GGF (Global Grid Forum) ( #51 )

• gss_inquire_sec_context_by_oid
• gss_inquire_cred_by_oid
• gss_set_sec_context_option
• gssapi_mech_invoke ??
• gss_import_cred (GGF variant, nobody implements this)
• gss_export_cred (GGF variant, nobody implements this)

AEAD / SSPI (DCE)

• gss_wrap_aead ( #6 )
• gss_unwrap_aead ( #6 )
• OID GSS_C_INQ_SSPI_SESSION_KEY
• gss_complete_auth_token
• gss_wrap_iov ( #6 )
• gss_unwrap_iov ( #6 )
• gss_wrap_iov_length ( #6 )

IOV MIC

• gss_get_mic_iov ( #6 )
• gss_get_mic_iov_length ( #6 )
• gss_verify_mic_iov ( #6 )

Services4User

• gss_acquire_cred_impersonate_name
• gss_add_cred_impersonate_name

Naming Extensions (actually RFC 6680)

• OID GSS_C_NT_COMPOSITE_EXPORT
• gss_display_name_ext
• gss_inquire_name
• gss_get_name_attribute
• gss_set_name_attribute
• gss_delete_name_attribute
• gss_export_name_composite

Capsulate (draft-josefsson-gss-capsulate)

• gss_encapsulate_token
• gss_decapsulate_token
• gss_oid_equal

Cred Store

• gss_acquire_cred_from
• gss_add_cred_from
• gss_store_cred_into

Cred Import/Export

• gss_export_cred ( #25 )
• gss_import_cred ( #25 )

Credentials Options (see #51 (comment))

• gss_set_cred_option

Additional RFCs (in gssapi.h)

RFC 4401 (Pseduo-Random Generators)

• gss_pseudo_random

RFC 5588 (Store Cred)

• gss_store_cred

RFC 4178 (SPNEGO)

• gss_set_neg_mechs ( #50 )
• gss_get_neg_mechs (NOT ACTUALLY PRESENT)

RFC 5587 (Mechanism Inquiry)

• gss_indicate_mechs_by_attrs
• gss_inquire_attrs_for_mech
• gss_display_mech_attr

RFC 5801 (GSSAPI-SASL Naming)

• gss_inquire_saslname_for_mech
• gss_inquire_mech_for_saslname

Mechanism Specific Extensions

Krb5 Specific Extensions (gssapi_krb5.h) (#75)

• GSS_KRB5_NT_PRINCIPAL_NAME
• gss_krb5_ccache_name
• gss_krb5_copy_ccache (use case unclear, deprecated on macOS)
• gss_krb5_get_tkt_flags
• gss_krb5_set_allowable_enctypes
• gss_krb5_export_lucid_sec_context
• gss_krb5_free_lucid_sec_context
• gsskrb5_extract_authz_data_from_sec_context
• gsskrb5_extract_authtime_from_sec_context

The following functionality is also available through the cred_store API
extensions so we may elect not to implement them at all:

• gss_krb5_set_cred_rcache (not implemented by Heimdal)
• gss_krb5_import_cred (implemented because Heimdal doesn't support cred store extensions)

• gss_inquire_sec_context_by_oid
• gss_inquire_cred_by_oid
• gss_set_sec_context_option
• gss_set_cred_option (probably not GGF)
• gss_{import,export}_cred (GGF variants, nobody implements them, so we should just skip them)

The following "public" low-level API files are missing documentation:

• chan_bindings.pyx
• oids.pyx
• ext_rfc5588.pyx
• ext_cred_store.pyx
• exceptions.pyx (probably just document file itself, not error classes)
• creds.pyx (inquire_cred, inquire_cred_by_mech)

The following "private" low-level API files are missing documentation:

• types.pyx (GenericFlagSet and IntEnumFlagSet)
• mech_krb5.pyx
• cython_converters.pyx (c_make_oid)

Since the latest incremental release includes our exports changes, it should be sufficient to test on 1.13. That being the case, we should be able to cease testing master for the present.

Reproducer:
python -c 'import gssapi as g;n=g.Name("x");n.display_as(g.MechType.kerberos)'

Stack:
#0 0x00007fffef2da46f in gss_display_name_ext () from /lib64/libgssapi_krb5.so.2
#1 0x00007fffeb29416d in __pyx_pw_6gssapi_3raw_11ext_rfc6680_1display_name_ext ()

from /usr/lib64/python2.7/site-packages/gssapi/raw/ext_rfc6680.so
#2 0x00007ffff7af28be in PyEval_EvalFrameEx () from /lib64/libpython2.7.so.1.0
#3 0x00007ffff7af2666 in PyEval_EvalFrameEx () from /lib64/libpython2.7.so.1.0
#4 0x00007ffff7af36b4 in PyEval_EvalCodeEx () from /lib64/libpython2.7.so.1.0
#5 0x00007ffff7af37d9 in PyEval_EvalCode () from /lib64/libpython2.7.so.1.0
#6 0x00007ffff7b0cbdf in run_mod () from /lib64/libpython2.7.so.1.0
#7 0x00007ffff7b0da54 in PyRun_StringFlags () from /lib64/libpython2.7.so.1.0
#8 0x00007ffff7b0f36b in PyRun_SimpleStringFlags () from /lib64/libpython2.7.so.1.0
#9 0x00007ffff7b20b80 in Py_Main () from /lib64/libpython2.7.so.1.0
#10 0x00007ffff6d3f630 in __libc_start_main () from /lib64/libc.so.6
#11 0x0000555555554839 in _start ()

Version info:
Running freshly installed Fedora Rawhide.
python-gssapi-1.1.2-1.fc24.x86_64
krb5-libs-1.13.2-6.fc23.x86_64