Using Kerberos from Python

Similar documents
Network Working Group. Category: Informational Cisco Systems J. Brezak Microsoft February 2002

AUTHENTICATION APPLICATION

PROGRAMMING ASSIGNMENTS 3 & 4 TAO

Persistent key, value storage

SSL/TLS. How to send your credit card number securely over the internet

Configuring Kerberos

Network Security - ISA 656 IPsec IPsec Key Management (IKE)

CSEP 561 Connections. David Wetherall

The KX.509 Protocol. William Doster Marcus Watts Dan Hyde University of Michigan ABSTRACT

Replay Caching is a Pain

Overview of Kerberos(I)

P2P Programming Assignment

IEMS 5780 / IERG 4080 Building and Deploying Scalable Machine Learning Services

The Kerberos Authentication System Course Outline

Configuring Kerberos

Introduction to Network. Topics

The Kerberos Authentication Service

Configuring SSL. SSL Overview CHAPTER

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

Radius, LDAP, Radius, Kerberos used in Authenticating Users

CSCI 667: Concepts of Computer Security. Lecture 9. Prof. Adwait Nadkarni

CS454/654 Midterm Exam Fall 2004

MODELS OF DISTRIBUTED SYSTEMS

User Security Configuration Guide, Cisco IOS XE Fuji 16.8.x (Cisco ASR 920 Routers)

CPS221 Lecture: Layered Network Architecture

CSE 461 Connections. David Wetherall

Configuring SSL CHAPTER

Kerberizing Applications Using Security Support Provider Interface

Secure RTP Library API Documentation. David A. McGrew Cisco Systems, Inc.

Configuring SSL. SSL Overview CHAPTER

Kerberos MIT protocol

SOCKET. Valerio Di Valerio

Highwinds CDN Content Protection Products. August 2009

Configuring Virtual Servers

A set of processes distributed over a network that communicate via messages. Processes communicate via services offered by the operating system

b) Diverse forms of physical connection - all sorts of wired connections, wireless connections, fiber optics, etc.

IP Security. Have a range of application specific security mechanisms

CSEP 561 Connections. David Wetherall

MODELS OF DISTRIBUTED SYSTEMS

IP Security IK2218/EP2120

Inspirel. YAMI4 Requirements. For YAMI4Industry, v page 1

ELEC / COMP 177 Fall Some slides from Kurose and Ross, Computer Networking, 5 th Edition

Connections. Topics. Focus. Presentation Session. Application. Data Link. Transport. Physical. Network

RADIUS Attributes Overview and RADIUS IETF Attributes

Chapter 21 RIP Configuration Guidelines

MatrixDTLS Developer s Guide

Transport Layer. Gursharan Singh Tatla. Upendra Sharma. 1

Pemrograman Jaringan Network Client

Guide to Networking Essentials, 6 th Edition. Chapter 5: Network Protocols

Data Communication & Networks G Session 7 - Main Theme Networks: Part I Circuit Switching, Packet Switching, The Network Layer

Transport Layer (TCP/UDP)

Authentication in real world: Kerberos, SSH and SSL. Zheng Ma Apr 19, 2005

LECTURE 10. Networking

PPP Configuration Options

CIS 6930/4930 Computer and Network Security. Topic 7. Trusted Intermediaries

Networking: Network layer

Network Address Translators (NATs) and NAT Traversal

EE 610 Part 2: Encapsulation and network utilities

QUIZ. What is wrong with this code that uses default arguments?

Programming Assignment 1 (30 pts) A Client Dynamically Accessing Servers Using the Net Oracle

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

Network Working Group Request for Comments: 4120 Obsoletes: 1510 Category: Standards Track K. Raeburn MIT July 2005

CSE 461 Module 11. Connections

ECE 650 Systems Programming & Engineering. Spring 2018

Configuring TACACS. Finding Feature Information. Prerequisites for Configuring TACACS

CS118 Discussion 1A, Week 3. Zengwen Yuan Dodd Hall 78, Friday 10:00 11:50 a.m.

Introduction to TCP/IP networking

BIG-IP Local Traffic Management: Profiles Reference. Version 12.1

Kerberos V5. Raj Jain. Washington University in St. Louis

Request for Comments: 3989 Category: Informational T. Taylor Nortel February Middlebox Communications (MIDCOM) Protocol Semantics

keepalive (isakmp profile)

20-CS Cyber Defense Overview Fall, Network Basics

Kerberized NFS 2010 Kerberos Conference

Configuring Security on the GGSN

Transport Layer Security

CSCI-GA Operating Systems. Networking. Hubertus Franke

precise rules that govern communication between two parties TCP/IP: the basic Internet protocols IP: Internet protocol (bottom level)

Operating Systems. 18. Remote Procedure Calls. Paul Krzyzanowski. Rutgers University. Spring /20/ Paul Krzyzanowski

It Just (Net)works. The Truth About ios' Multipeer Connectivity Framework. Alban

Pemrograman Jaringan Web Client Access PTIIK

Interprocess Communication

How to Connect to a Microsoft SQL Server Database that Uses Kerberos Authentication in Informatica 9.6.x

(Refer Slide Time: 1:09)

Chapter 9: Key Management

Computer Networks Prof. Ashok K. Agrawala

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

CS 640 Introduction to Computer Networks Spring 2009

Internet Protocol and Transmission Control Protocol

Networking Technologies and Applications

Updates from MIT Kerberos

Internet Technology 3/2/2016

Programming Assignment 3: Transmission Control Protocol

BIG-IP Access Policy Manager : Secure Web Gateway. Version 13.0

Radiator Carrier Module

Covert TCP/IP network channels using Whitenoise protocol. Michal Rogala.

Secure Networking with NAT Traversal for Enhanced Mobility

CSCI 466 Midterm Networks Fall 2013

Internet Technology. 06. Exam 1 Review Paul Krzyzanowski. Rutgers University. Spring 2016

Introduction to Information Science and Technology 2017 Networking II. Sören Schwertfeger 师泽仁

Lecture 11: Middleboxes and NAT (Duct tape for IPv4)

Transcription:

Using Kerberos from Python Release 0.1 Fred L. Drake, Jr. and Roger E. Masse Copyright c 1998 by Corporation for National Research Initiatives. May 15, 1998 Corporation for National Research Initiatives 1895 Preston White Dr., Reston, Va 20191 E-mail: fdrake@cnri.reston.va.us, rmasse@cnri.reston.va.us All Rights Reserved See the file LICENSE for licensing information. You must agree to the terms of the license before using this software. Using this software constitutes your acknowledgment that you have read and agreed to the terms and conditions of the License Agreement. The License Agreement will be effective as of the date of your first use of this software. To access the original software package, including the License Agreement, use the following unique identifier (which is resolvable using the Handle System): hdl:1895.22/1001. Abstract This document describes modules developed to allow access to Kerberos V5 from Python. We have developed a object-oriented approach to using some Kerberos V5 facilities which allows much of the tedium to be hidden from the application programmer. A wrapper module for Python s socket module provides an integration which is largely transparent. Contents 1 Extension Module krb5 2 1.1 Kerberos Principals............................................ 2 1.2 Authentication Contexts......................................... 3 Common Methods and Attributes..................................... 3 UDPAuthenticationContext Constructors................................. 3 TCPAuthenticationContext Constructors................................. 4 TCPAuthenticationContext Methods................................... 4 1.3 Utility Functions............................................. 5 1.4 Constants................................................. 5 Application Request Options....................................... 5 Authentication Context Options..................................... 5 Error Code Constants........................................... 6 2 Module ksocket 6 2.1 KStreamSocket Methods......................................... 6

1 Extension Module krb5 The krb5 module provides Kerberos V5 services to Python. The detailed Kerberos API is hidden behind a more intelligible API that can be used from Python. Understanding Kerberos is required before this module can be used effectively. Only two objects really need to be exposed to the Python programmer: the Principal and the Authentication Context. The Authentication Context comes in two varieties, one for use with UDP-based channels and another for TCP connections. The API for the TCP variety is a superset of the API for the UDP flavor. For all krb5 operations, a single exception has been defined: Krb5Error Raised when a Kerberos-specific error is raised. Instances have two attributes: err code is the numeric error code returned by the Kerberos library, and message is the standard error message provided by the error message() function used within Kerberos. These values may also be retrieved by unpacking the exception instance: try: krb5.send_auth(...) except krb5.krb5error, (err_code, message): print "Failed:", message Some Krb5Error exceptions are raised with an err code of 0; these are not a mistake! These are real errors which don t have specific error code assignments from Kerberos. The message attribute holds an explanation in all cases. Note that socket.error may be raised by some functions and methods if appropriate. 1.1 Kerberos Principals Three functions are provided to support retrieval of Kerberos Principal objects. All of these return objects of the type PrincipalType. get principal(name) Return a Principal object corresponding to a fully-formed string representation, such as splat@realm.we.live.in. If the name is not parsable, Krb5Error is raised with an err code attribute of KRB5 PARSE MALFORMED. get login principal() Retrieve the default principal. get svc principal(svcname[, hostname]) Return a principal for a specific service. If hostname is omitted or the empty string, the local hostname is used. Note that Kerberos does not in any way validate that the specified service exists. PrincipalType The type of the Principal objects returned from get principal(), get login principal(), and get svc principal(). Principal objects provide some useful methods and data attributes: name() Return the fully-formed name of the principal, suitable for passing to get principal() at a later time. The name includes the realm. realm() Return only the realm portion of the Principal name. host 2 1 Extension Module krb5

For principals created using get svc principal(), this is the fully-qualified domain name for the machine on which the service should be found. For all other principals, this is None. service For principals created using get svc principal(), this is the name of the serivce passed in. For all other principals, this is None. 1.2 Authentication Contexts Common Methods and Attributes See the set- getflags() Return the bitwise-or of the current operational parameters for the Authentication Context. flags() method. setflags(flags) Set operational parameters for the the Authentication Context. Valid flags supported for this module include KRB5 AUTH CONTEXT DO TIME and KRB5 AUTH CONTEXT DO SEQUENCE. Parameters to use should be bitwise-or ed together and passed as flags. mk safe(string) Return an encoded version of string which includes an encrypted checksum of string; only the remote principal should be able to decode the checksum and be able to verify that string actually arrived from the sender unmodified. This does not provide privacy. rd safe(data) Return a string encapsulated in data with an encrypted checksum and verify the checksum and sender identity. If the checksum or sender doesn t match, Krb5Error is raised. mk priv(string) Return an encoded version of string which includes an encrypted form of string; only the remote principal should be able to decode the original string and be able to verify that string actually arrived from the sender unmodified. rd priv(data) Return the plaintext encapsulated in data and verify the sender s identity. Krb5Error is raised. These attributes of Authentication Contexts are provided on a read-only basis: local The local principal used for the authentication context. remote The remote principal used for the authentication context. If the sender doesn t match, UDPAuthenticationContext Constructors These functions are used to construct Authentication Contexts for use with UDP sockets. Use the constructors described below for in association with TCP sockets. mk req(sprinc, local addr, remote addr[, options]) Create an Authentication Context for use in communication with a remote server. This is used by a client initiating communication. The principal representing the server being contacted is passed as sprinc. The two addresses, local addr and remote addr, are both internet addresses represented as the tuple (host, port). The application request options should be passed as a bitwise-or of option values in options. Valid options are AP OPTS USE SESSION KEY and AP OPTS MUTUAL REQUIRED. The return value is a tuple of the Authentication Context and s string representing the first packet which should be sent to the server. 1.2 Authentication Contexts 3

rd req(sprinc, data, local addr, remote addr) Create an Authentication Context based on data read from an incoming packet. This is used on a server to authenticate incoming communications. The server principal is passed as sprinc and the data from the first packet received from the client is passed as a string in data. The two address are as described for mk req(). UDPAuthenticationContextType Type of the Authentication Context object returned by mk req() and rd req(). TCPAuthenticationContext Constructors send auth(sock, cprinc, sprinc[, options]) Begin a Kerberos authorization sequence (typically performed on the client). For the operation to complete, the corresponding server (on the other end of sock, a connected socket object) must do a corresponding recv auth(). sock may be a Python socket object or an int object corresponding to sock.fileno(). cprinc and sprinc are the client and server Principal objects respectively. Subsequent calls to block read/write methods implicitly use sock for transport. The authentication context object is returned upon successful validation of the client and server principals recv auth(sock, sprinc) Complete a Kerberos authorization sequence (typically performed on the server). recv auth() blocks until a corresponding send auth() is issued by the peer on the client end of the connected sock. sprinc is the server principal (for yourself). The authentication context object is returned upon successful validation of the client (read from sock) and server principals. TCPAuthenticationContextType Type of the Authentication Context object returned by send auth() and recv auth(). TCPAuthenticationContext Methods The block reading and writing methods are unique to the TCP variant of the Authentication Context object because of the requirement that they operate only over a connected socket. These methods allow the sender to send arbitrarily large amounts of data with a single block write and be assured that the receiver will allocate enough storage behind the scenes to complete the corresponding block read. These methods may raise socket.error on socket failures. block read() Read the what was sent by a corresponding block write(), block write safe(), or block write priv() call. the return value is a tuple containing the type, of the corresponding write from the set:, safe, priv, followed by the read data as a string object. block write(string) Write the contents of the argument over the connected socket. corresponding block read() will return the type followed by the read string in the form of a tuple. If string equals Hello World, than the corresponding block read() will return (, Hello World ). With type returned as the empty string, the indication is that no further Kerberos layer checking was performed apart from what was done during the call to the constructor send auth() (initial handshake). This is the least secure and highest performing variant of the block write methods. block write safe(string) Write the contents of the argument over the connected socket. If string equals Hello World, then the corresponding block read() will return the tuple: ( safe, Hello World ). With type returned as safe, the indication is that the block was checksummed and the checksum data encrypted for transport and that the decrypted checksum matched that of the data read. (i.e the block was not tampered with) The data itself, however, was passed in the clear. block write priv(string) Write the contents of the argument over the connected socket. If string equals Hello World, then the 4 1 Extension Module krb5

corresponding block read() will return the tuple: ( priv, Hello World ). With type returned as priv, the indication is that the block was encrypted for transport and successfully decrypted on by the reader. This is the most secure and lowest performance variant of the block write methods. 1.3 Utility Functions Some utility functions provided by the Kerberos library are exported to the Python programmer. These functions allow the programmer to query certain aspects of the Kerberos configuration. get default realm() Returns the realm used when no realm is specified in a principal name. get krbhst(realm) Returns a list of host names which will be used to locate the Key Distribution Center. The following functions may raise socket.error. They are not particularly tied to Kerberos other than being provided by the Kerberos library. net read(sock, length) Low level read function on a connected socket. net read() is not an attribute of TCPAthenticationContext objects because it involves no Kerberos interaction. sock is a socket object or an integer corresponding to sock.fileno(). length is the amount that should be read and returned as a string (in bytes). net write(sock, string) Low level write function to correspond with net write(). sock is a socket object or an integer corresponding to sock.fileno(). string is the data to be written. net write() is not an attribute of TCPAthentication- Context objects because it involves no Kerberos interaction. 1.4 Constants Several constants are defined in the krb5 module. Some are used for setting up the Authentication Context objects and other are used to test for specific values of Krb5Error.err code. Application Request Options These constants can be used with the options parameter to the constructors for the Authentication Context objects as described above. AP OPTS USE SESSION KEY Use a session key. AP OPTS MUTUAL REQUIRED Require mutual authentication. Without this, the server is not required to authenticate itself with the client. Authentication Context Options These options may be used to set and test flags on the Authentication Context objects using the setflags() and getflags() methods. KRB5 AUTH CONTEXT DO TIME Use time stamps. KRB5 AUTH CONTEXT DO SEQUENCE Use sequence numbers. 1.3 Utility Functions 5

Error Code Constants KRB5 PROG SUMTYPE NOSUPP Requested checksum function is not supported. KRB5 SENDAUTH REJECTED Server reject client connection. KRB5 FCC NOFILE No credentials cache is available. KRB5 PARSE MALFORMED Principal name could not be parsed by get principal(). KRB5KRB AP ERR BAD INTEGRITY Integrity failure. KRB5KRB AP ERR TKT EXPIRED Ticket in credentials cache has expired; run kinit to update your tickets. KRB5KRB AP ERR BADADDR Wrong address used to encode encrypted data. KRB5KRB AP ERR BADORDER Wrong sequence number used to encode encrypted data. 2 Module ksocket The ksocket module provides a socket-like object which supports alternate interfaces to provide Kerberos authentication for connections. This should be used when only authentication is used; most code which operates on a connected socket can use an instance of the KStreamSocket class implemented by this module. Only TCP sockets are currently supported. A single exception is defined by this module: KSocketError This exception is raised for errors specifically involving the Kerberos aspect of the connection. Ordinary socket errors raise socket.error. Kerberized sockets are created using this constructor: KStreamSocket([lprinc]) Create a Kerberized socket. If lprinc is given, it is used as the local principal. If omitted, the result of krb5.get login principal() is used. The return value is an instance which behaves almost exactly like a socket, but with some additional interfaces and changes as described below. 2.1 KStreamSocket Methods Most methods of KStreamSocket objects are identical to the socket methods of the same names; these are not described here. Refer to the socket module documentation for information on standard socket behavior. The methods described here are either new with this class or have modified behavior. accept() Like the normal socket accept() method, but returns a Kerberized socket instead. The connect has already been authenticated once this method returns. This method does block while performing the Kerberos authentication handshake. bind(address) 6 2 Module ksocket

The socket address address must be a (host, port) pair. If host is the empty string ( ), it will be replaced with the result of socket.gethostname() to ensure that the getsockname() method returns the same address as the getpeername() method of the remote connection. This is needed to make Kerberos work properly without making too many assumptions about system configuration. connect(address) Raises KSocketError; use kconnect() instead. get remote principal() Return the Kerberos principal for the remote side of the connection. If the socket is not connected, KSocketError is raised. kconnect(sprinc, port[, options]) Connect to a remote server. The server principal, given by sprinc, must be a service principal as returned by krb5.get svc principal(). If type(sprinc) is not krb5.principaltype, a TypeError exception is raised. If it does not have the required service information, ValueError is raised. Application request options can be passed in options if desired. Once the connection is established, the Kerberos authenticaion handshake is performed; this operation can block. 2.1 KStreamSocket Methods 7

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback