Kerberos support

[chrahunt]

What's the problem this feature will solve?

pip cannot currently use Kerberos for authentication with web servers that support it, which may be acting as PyPI mirrors or private package repositories.

Describe the solution you'd like

If required dependencies are present, and a request to the configured server fails with headers that indicate Kerberos is supported, then attempt Kerberos authentication.

Alternative Solutions

N/A

Additional context

This is an attempt to progress #4854 by allowing discussion without the noise associated with a PR.

Currently pip only supports basic authentication with credentials provided either via keyring or inclusion in the index/index-url URL itself. Kerberos, as described here, would not be able to use the current basic auth mechanism for negotiation.

[chrahunt]

Related to #4475.

[pradyunsg]

Specifically, how is this not achievable with the keyring support?

The bootstrapping issue with keyring (you'd need keyring and your backend installed) is that's the tradeoff for having a minimal core utility with extensive support for authentication backends.

[chrahunt]

Keyring is a pluggable interface for providing a username and password. Currently we only support using that username/password for basic auth i.e. Authentication http header with Basic and base64 encoded credentials. Kerberos uses a different flow altogether. See wiki.

[cryvate]

It would be great if we could finally get something in so that pip can have Kerberos support.

[pradyunsg]

Oh, I didn't realize this issue existed when I made #4854 (comment).

Anyway, thanks for all the work you've done on this @cryvate! It's much appreciated. ^>^

[pradyunsg]

Edited the PR description to link to here.

[schlamar]

Please see my comment at #4475 (comment)

[christophvw]

We need kerberos-proxy authentication in pip otherwise our developers cannot install any packages (our proxy support only kerberos authentication).

I already wrote a patch for requests-kerberos: requests/requests-kerberos#148

[enzolis]

Same situation here.
For internet access we are required to authenticate via Kerberos towards our proxy.

Regarding the details:
Please understand there is no possibility to achieve this via keyrings.
During log-in (or unlock screen) a ticket (TGT) is acquired which is used in a single sign-on manner.
When accessing the internet, the proxy sends a 407 (request to authenticate). Using the TGT and the service name (SPN, e.g. HTTP/proxy.big.company.com) a service ticket is acquired from the TGS.
This service ticket together with the original request is then sent again to the proxy which then allows you to proceed.

PS: @christophvw I added a few lines of code to your patch

[uranusjr]

I’m going to use #4475 as an aggregated tracking issue for all these similar problems, since it is unlikely pip is going to add support for each authentication methods separately.