Comments (7)
First of all, thanks for working on this API. By far the most usable solution i've found on the web so far. And the docs are pretty good too! This is not a bug, I'm just looking for help implementing something using your wrapper.
Hi! Thanks, hopefully we can provide some assistance as well.
I'm having some trouble with the acquire_cred_from() method. Which I see is an extension, but i'm wondering if you can help me. I've done a kinit as a user, and i'm hoping to use this method to acquire the cred and forward it to a remote host. Am I understanding this function correctly?
I think you probably want init_sec_context()
, if I understand what you're trying to do correctly. The normal workflow is that one end of a connection will call init_sec_context()
and send the resulting payload to the other end, while the other end calls accept_sec_context()
on the payload.
In your documentation it says that the cred store needs to be a dict. Do you know what information needs to be in the dict?
We do a conversion of the Python dict to the format that the underlying GSSAPI layer expects without checking presence/absence of fields, since there are different ways to call this function. Unfortunately this extension didn't get an RFC, so the best documentation available on what it can take seems to be our test, or if you're more familiar with C, krb5's test and the thing that calls it. Digging through the krb5 source, it appears that the possible ways to call here are None (which translates to GSS_C_NO_CRED_STORE) or as a dict possibly containing entries for any of: "ccache", "client_keytab", "keytab", or "rcache". @DirectXMan12 since you wrote the code that interfaces with the cred store extension, do you have anything to add here?
I have one other question, which is about the acquire_cred_with_password() function. It seems that when I use that function to acquire credentials, my password is stored in plain text in the credentials object. Is this expected behaviour?
We don't do any fancy handling on credentials objects, so I expect that it is. However, this is probably not an issue since credentials are generally treated as secret: that is, one does not pass credentials around the network, to untrusted parties, etc. (see above for more information on how the handshake usually works). If, on the other hand, you're concerned about processes having direct access to credentials, the GSS-Proxy might be able to help.
Hope that helps!
from python-gssapi.
I'm having some trouble with the acquire_cred_from() method. Which I see is an extension, but i'm wondering if you can help me. I've done a kinit as a user, and i'm hoping to use this method to acquire the cred and forward it to a remote host. Am I understanding this function correctly?
I think you probably want init_sec_context(), if I understand what you're trying to do correctly. The normal workflow is that one end of a connection will call init_sec_context() and send the resulting payload to the other end, while the other end calls accept_sec_context() on the payload.
To provide further detail, by default, acquiring credentials is done from "default" locations -- the main ccache and keytab. If the user has already kinited, these credentials will become the "default" credentials in GSSAPI; if you acquire credentials (using acquire_cred
or the Credentials
constructor) with no name, or if you pass no credentials to init_sec_context
/the SecurityContext
constructor, these are the credentials that will be used.
acquire_cred_from
is used if you need to acquire from an alternate ccache or keytab that is not the main one.
Digging through the krb5 source, it appears that the possible ways to call here are None (which translates to GSS_C_NO_CRED_STORE) or as a dict possibly containing entries for any of: "ccache", "client_keytab", "keytab", or "rcache". @DirectXMan12 since you wrote the code that interfaces with the cred store extension, do you have anything to add here?
That's correct, AFAIK.
However, this is probably not an issue since credentials are generally treated as secret: that is, one does not pass credentials around the network, to untrusted parties, etc. (see above for more information on how the handshake usually works).
It's important to note that export_cred
is designed to be used to pass credentials between threads and processes, not over the network. If all you want to do is establish a session with a remote host (for auth, encryption, or both), you simply want to establish a security context. If you're trying to delegate credentials (so that the remote host can establish a new context on behalf of the user), you'll need to have used kinit -f
to get a forwardable ticket (see, for instance, https://github.com/pythongssapi/python-gssapi/blob/master/gssapi/tests/test_raw.py#L435, which shows an S4U delegation).
from python-gssapi.
Hi guys,
Sorry for the slow reply.
Thanks for all the information, this has cleared up so many things about the API. After posting the question I realised I should have been using Credentials.aquire(). I'm just writing some point to point communication using twisted so that I can try the init_sec_context with another host. This info will make the gssapi part of that process much easier.
Out of curiosity, if I wanted to use a different credentials store, what could I use to store the creds? Would I have to store in a file or could I store in a database of some sort?
Again, cheers for the helps guys. If you want a hand writing docs, let me know. Understanding Kerberos and GSSAPI has been a pretty steep learning curve!
Cheers,
Morgan
from python-gssapi.
Out of curiosity, if I wanted to use a different credentials store, what could I use to store the creds? Would I have to store in a file or could I store in a database of some sort?
The "store" part is controlled by the underlying mechanism's library (for instance MIT krb5). Each mechanism has different "stores" that it accepts -- krb5 has "ccache", "client_keytab", "keytab", or "rcache", which are all file-based, IIRC.
If you want a hand writing docs, let me know.
We'd be happy to have PRs with any documentation fixes that you think would make things clearer.
from python-gssapi.
On Thu, 2016-01-07 at 10:15 -0800, Solly Ross wrote:
Out of curiosity, if I wanted to use a different credentials store,
what could I use to store the creds? Would I have to store in a file
or could I store in a database of some sort?The "store" part is controlled by the underlying mechanism's library
(for instance MIT krb5). Each mechanism has different "stores" that
it accepts -- krb5 has "ccache", "client_keytab", "keytab", or
"rcache", which are all file-based, IIRC.
All these stores can be fully qualified with a type, so they are not
necessary file based (though a missing identifier defaults to FILE:)
If you want a hand writing docs, let me know.
We'd be happy to have PRs with any documentation fixes that you think
would make things clearer.
+1
Simo.
Simo Sorce * Red Hat, Inc * New York
from python-gssapi.
(Closing this for triage reasons. If you have more questions, please do ask them on irc or here; we are happy to help.)
from python-gssapi.
Thanks for all the help guys. Really appreciate it.
I've been busy with other things lately, but i'll be coming back to this in a month or so and will have some PRs for docs, specifically with some working example that we can pull (and probably change) from my code.
Again, thanks a lot!
from python-gssapi.
Related Issues (20)
- OSError: Could not find KfW installation HOT 10
- problem with pip install HOT 1
- GSSAPI won't install on Python 3.11 beta HOT 4
- Installing v1.8.0 from sdist fails with old pip versions HOT 3
- gssapi.raw.add_cred_with_password() is missing on Windows HOT 1
- gssapi.raw.acquire_cred_with_password() fails on Windows HOT 1
- Broken links to documentation in the README HOT 1
- I'm having trouble making this snippet to work HOT 2
- lifetime argument not respected when initiating credentials
- Mypy error with creds type HOT 2
- 1.8.2: issues with testing `gssapi` using pytest HOT 1
- Error building wheel HOT 3
- Cython 3 compatibility HOT 2
- gssapi fails to import: ./Include/cpython/tupleobject.h:23: PyTuple_GET_SIZE: Assertion `PyTuple_Check(op)' failed. HOT 6
- Minor (2529639053): Matching credential not found HOT 5
- KRB5_TRACE is set but not creating logs HOT 4
- segfault on s390x HOT 10
- AWS EC2 Kerberos incorrect real_name for krbtgt HOT 2
- 1.8.3: documentation uses recommonmark which is now deprecated HOT 1
- RFE: provide manylinux binary wheel package HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from python-gssapi.