{"id":3229,"library":"pykerberos","title":"PyKerberos","description":"PyKerberos provides a high-level interface to the Kerberos GSSAPI for Python applications. It enables client and server-side authentication using Kerberos. The current version is 1.2.4, with releases primarily focused on bug fixes and Python version compatibility.","status":"active","version":"1.2.4","language":"en","source_language":"en","source_url":"https://github.com/02strich/pykerberos","tags":["kerberos","authentication","gssapi","security","enterprise"],"install":[{"cmd":"pip install pykerberos","lang":"bash","label":"Install PyKerberos"}],"dependencies":[{"reason":"Requires system-level Kerberos development headers for compilation (e.g., on RHEL/CentOS/Fedora).","package":"krb5-devel","optional":false},{"reason":"Alternative system-level Kerberos development headers for Debian/Ubuntu.","package":"libkrb5-dev","optional":false},{"reason":"For macOS, install via Homebrew along with Xcode Command Line Tools for compilation.","package":"krb5","optional":false}],"imports":[{"symbol":"kerberos","correct":"import kerberos"}],"quickstart":{"code":"import kerberos\nimport os\n\ntry:\n    # Service principal for the target service (e.g., HTTP service on a host)\n    # Replace 'HTTP/server.example.com@REALM.COM' with your actual service principal.\n    # For a runnable example, we use an environment variable.\n    service_principal = os.environ.get('KERBEROS_SERVICE_PRINCIPAL', 'HTTP/fakeserver.example.com@FAKE.REALM')\n\n    # Initialize a Kerberos client context\n    # rc: return code (0 for success, non-zero for error)\n    # vc: client context handle (opaque object)\n    rc, vc = kerberos.authGSSClientInit(service_principal)\n\n    if rc == kerberos.AUTH_GSS_COMPLETE:\n        print(f\"Successfully initialized Kerberos client context for {service_principal}\")\n\n        # Perform the first step of GSS-API negotiation\n        # This generates a token to send to the server.\n        # The input 'challenge' is empty for the first step.\n        rc_step, client_token = kerberos.authGSSClientStep(vc, \"\")\n\n        if rc_step == kerberos.AUTH_GSS_COMPLETE:\n            print(f\"Generated client token (to send to server): {client_token[:60]}...\")\n            print(\"Kerberos client authentication flow started.\")\n            print(\"Next, send this token to your server and process its response with authGSSClientStep.\")\n        else:\n            print(f\"Kerberos client step failed with return code: {rc_step}\")\n\n        # Clean up the client context when done\n        kerberos.authGSSClientClean(vc)\n        print(\"Kerberos client context cleaned up.\")\n\n    else:\n        print(f\"Failed to initialize Kerberos client context for {service_principal}. Return code: {rc}\")\n        print(\"Possible reasons: missing kinit ticket, incorrect service principal, or system Kerberos setup issues.\")\n\nexcept kerberos.GSSError as e:\n    print(f\"Kerberos GSSAPI Error: {e}\")\n    print(\"Make sure you have Kerberos development libraries (e.g., krb5-devel) installed and KDC is reachable.\")\nexcept Exception as e:\n    print(f\"An unexpected error occurred: {e}\")","lang":"python","description":"This quickstart demonstrates how to initialize a Kerberos client context and generate the first authentication token using `pykerberos`. It simulates the client-side of a GSSAPI negotiation flow. To run this, you'll typically need an active Kerberos ticket (e.g., obtained via `kinit`) and the correct service principal for your target service. Remember to install system Kerberos development libraries before installing pykerberos."},"warnings":[{"fix":"Upgrade to `pykerberos==1.2.4` or a newer version using `pip install --upgrade pykerberos`.","message":"Older versions (pre-1.2.4) experienced C API incompatibility issues with Python 3.10+ and pointer alignment problems on M1 Macs. Users on these platforms should upgrade to v1.2.4 or newer to avoid errors.","severity":"breaking","affected_versions":"<1.2.4"},{"fix":"Install the appropriate Kerberos development package for your OS before installing pykerberos. Example: `sudo yum install krb5-devel` or `sudo apt-get install libkrb5-dev`.","message":"PyKerberos is a C extension and requires system-level Kerberos development libraries (e.g., `krb5-devel` on RHEL/CentOS/Fedora, `libkrb5-dev` on Debian/Ubuntu, or Homebrew `krb5` with Xcode Command Line Tools on macOS) to be installed *before* `pip install pykerberos`. Installation will fail without them.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Upgrade to `pykerberos==1.1.9` or a newer version using `pip install --upgrade pykerberos`.","message":"Versions prior to 1.1.9 had known memory leaks in GSS code and less robust Python 3 compatibility. It's strongly recommended to use v1.1.9 or newer for improved stability and Python 3 support.","severity":"gotcha","affected_versions":"<1.1.9"},{"fix":"Verify Kerberos tickets (`klist`), service principal format, and network connectivity to your KDC. Consult Kerberos documentation for your specific environment and use `KRB5_TRACE=/dev/stderr` for detailed debugging.","message":"Common errors (e.g., `kerberos.GSSError`) arise from incorrect Kerberos setup: missing `kinit` tickets, incorrect service principal, or KDC unreachability. Ensure your Kerberos environment is properly configured.","severity":"gotcha","affected_versions":"All versions"}],"env_vars":null,"last_verified":"2026-04-11T00:00:00.000Z","next_check":"2026-07-10T00:00:00.000Z"}