Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

reuse kerberos ticket from Operating system cache #86

Open
LucaGalvagno opened this issue Jul 12, 2024 · 5 comments
Open

reuse kerberos ticket from Operating system cache #86

LucaGalvagno opened this issue Jul 12, 2024 · 5 comments

Comments

@LucaGalvagno
Copy link

Good Morning,
I would like to understand if with pyspnego is possible to reuse kerberos tickets coming from Operating system cache , in the case of Linux from the KEYRING kernel cache (is where sssd is storing such stuff by default).
Thanks
Kind Regards
@jborean93
Copy link
Owner

Yep, just don’t specify an explicit username/password and it will use the cached credential (if present). Typically what klist will show.

@LucaGalvagno
Copy link
Author

I'm sorry,
but could you please put code snippet ?

@jborean93
Copy link
Owner

It’s the exact same way you call it normally but without setting the username/password kwarg.

@LucaGalvagno
Copy link
Author

LucaGalvagno commented Jul 14, 2024
edited by jborean93
Loading

Hi ,
indeed I did what you suggested using one of the examples (client_auth.py) , but a StopIteration (on enc_data = client.wrap(data) ) exception is raised, negotiation attribute is "none" .
Below the source code and my klist results .

Source code :
#########################################

import spnego

def exchange_data(data: bytes) -> bytes:
    # Insert code to send to acceptor and receive token
    return b""
def main() -> None:
    client = spnego.client(service="krbtgt/XXXX.LOCAL@XXXX.LOCAL")

    in_token = None
    while client.complete:
        out_token = client.step(in_token)
        if not out_token:
            break

        in_token = exchange_data(out_token)

    print("Negotiated protocol: %s" % client.negotiated_protocol)

    data = b"my secret"
    enc_data = client.wrap(data)

    resp = exchange_data(enc_data.data)
    dec_data = client.unwrap(resp)

    print("Server response: %s" % dec_data.data.decode("utf-8"))


if __name__ == "__main__":
    main()

#####################################################
klist :

Ticket cache: KCM:1208801129:25868
Default principal: testuser1@XXXX.LOCAL

Valid starting Expires Service principal
07/14/2024 10:38:48 07/14/2024 20:38:48 krbtgt/XXXX.LOCAL@XXXX.LOCAL
renew until 07/21/2024 10:38:48

@jborean93
Copy link
Owner

A few things to note

  • The example had an issue, the loop should be while not client.complete:
  • You need to implement your own logic with exchange_data, how you do this depends on how you are authenticating
  • The service should reflect the service you are authenticating with. It should also only be the service part
    • Typically the service is something like host, http, but it can be anything as it's dependent on the host you are talking to
    • The hostname kwarg specifies the hostname portion of the SPN
    • E.g. service='host', hostname='target-host.domain.com'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jborean93 @LucaGalvagno