Kerberos (High-level GSSAPI Interface)

1.3.1 · active · verified Sat Apr 11

The `kerberos` library provides a high-level Python wrapper for Kerberos (GSSAPI) operations, specifically designed for client/server Kerberos authentication based on RFC 4559. It directly wraps the underlying Kerberos 5 C API, offering a limited set of functions for this purpose. The current version is 1.3.1, and it maintains an active release cadence.

Warnings

breaking The library primarily supports Python 3.9+. Older Python 2 installations or versions prior to 3.9 are not officially supported and may lead to installation or runtime issues.
Fix: Ensure your environment is running Python 3.9 or newer. Consider using a virtual environment to manage Python versions.
gotcha Installation often fails without system-level Kerberos development libraries and a C compiler. This is a common pitfall on Linux and some Windows environments.
Fix: Install required system packages before `pip install kerberos`. For Debian/Ubuntu, this is typically `python3-dev libkrb5-dev gcc`. For RHEL/Fedora, `python3-devel krb5-devel gcc`. macOS and Windows users installing from wheels might bypass this, but source installs will require it.
deprecated The `kerberos.checkPassword` method is explicitly for testing purposes only and should NEVER be used in production code due to its lack of protection against KDC spoofing.
Fix: Avoid `checkPassword` in production. Implement proper GSSAPI-based authentication flows or use higher-level libraries like `requests-kerberos` or `python-gssapi` that handle security correctly.
gotcha The `kerberos` library is a low-level wrapper around the C GSSAPI. It is complex to use directly for most application-level Kerberos authentication. Higher-level Python libraries like `python-gssapi` or `requests-kerberos` are generally recommended for ease of use and reduced footguns.
Fix: For common HTTP Kerberos authentication, consider `pip install requests-kerberos`. For a more comprehensive and Python-friendly GSSAPI interface, explore `pip install gssapi`.
gotcha Successful Kerberos authentication requires a properly configured Kerberos client, an active Kerberos ticket (e.g., from `kinit`), and correct Service Principal Names (SPNs). Missing tickets, incorrect `krb5.conf` settings, or SPN mismatches are frequent causes of `KerberosError`.
Fix: Verify Kerberos configuration (`/etc/krb5.conf`), ensure a valid ticket exists (`klist`), and confirm the SPN matches the service being accessed. Debug with Kerberos logging if available.

Install

pip install kerberos Standard install
sudo apt-get install python3-dev libkrb5-dev gcc Debian/Ubuntu system dependencies (before pip install)
sudo yum install python3-devel krb5-devel gcc RHEL/Fedora system dependencies (before pip install)

Imports

kerberos
```
import kerberos
```
The top-level module exposes functions directly.

Quickstart

This quickstart demonstrates the very basic client-side initialization of a Kerberos GSSAPI context using `kerberos.authGSSClientInit` and `kerberos.authGSSClientStep`. A real Kerberos environment with a Key Distribution Center (KDC), a configured service principal name (SPN), and an active Kerberos ticket (obtained via `kinit`) is required for successful operation. The process typically involves multiple `authGSSClientStep` calls, exchanging tokens with a server.

import kerberos
import os

# This is a simplified example. A real Kerberos setup with a KDC, service principal, and active tickets (kinit) is required.
# Set up a dummy service principal name for illustration.
# In a real scenario, this would be 'HTTP/your.service.com@REALM'
service_principal = os.environ.get('KERBEROS_SPN', 'HTTP/host.example.com@EXAMPLE.COM')

negotiate_token = None
try:
    # Initialize a Kerberos GSSAPI client context.
    # `gssflags` can be used to specify options like GSS_C_DELEG_FLAG.
    # `principal` can specify the client principal, if not using default cache.
    result, context = kerberos.authGSSClientInit(service_principal)

    # The client sends a 'token' (negotiate_token) to the server.
    # In a real HTTP exchange, this token would be part of the Authorization header.
    # This step simulates the client-side generation of the initial token.
    result = kerberos.authGSSClientStep(context, negotiate_token)

    # If successful, get the token to send to the server.
    negotiate_token = kerberos.authGSSClientResponse(context)
    print(f"Initial GSSAPI token generated: {negotiate_token[:30]}...")

    # In a real scenario, the server would send back its own token,
    # which the client would then process in subsequent authGSSClientStep calls.
    # For this quickstart, we just demonstrate the client init.

except kerberos.KerberosError as e:
    print(f"Kerberos Error: {e}")
except Exception as e:
    print(f"An unexpected error occurred: {e}")
finally:
    # Always clean up the context to free resources.
    if 'context' in locals() and context is not None:
        kerberos.authGSSClientClean(context)

view raw JSON →