-
Notifications
You must be signed in to change notification settings - Fork 21
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for explicit GSSAPI mech #18
Comments
Add support for passing an explicit mech through to gssapi's `SecurityContext` constructor. This allows overriding the auto-detected mechanism, and enabling support for RFC4178 SPNEGO. Fixes pythongssapi#18
Technically, python-gssapi has supported SPNEGO since its inception - what's new is just the ability to filter the negotiated mechanisms. Can you elaborate on your use case here? Note that it's currently possible to specify an explicit mechanism through the Credential object passed in. |
Thanks for getting back to me. The use case is for connecting to a service powered by go's krb5 library which seems to explicitly require an RFC4178 style exchange and which I couldn't get to be automatically negotiated by the requests library. The example usage of the modifications in this PR is described here: wintoncode/vault-plugin-auth-kerberos#22 (comment) I hadn't spotted the Credentials object could be used for this instead which would remove the need for this PR to be merged. I will take a look and see if I can get my example code working via that method. |
If I understand correctly, I think you're referring to the spnego = gssapi.OID.from_int_seq("1.3.6.1.5.5.2")
creds = gssapi.Credentials(usage="initiate", mechs=[spnego])
target = gssapi.Name("HTTP@{0}:8200".format(vhost), gssapi.NameType.hostbased_service)
auth = HTTPSPNEGOAuth(target_name=target, creds=creds)
r = requests.post("https://{0}:8200/v1/auth/kerberos/login".format(vhost), auth=auth, verify='/etc/pki/tls/cert.pem') Results in the same error from the application server as if I'd not passed in {"errors":["SPNEGO negotiation token is not a NegTokenInit: OID 1.2.840.113554.1.2.2 does not match SPNEGO OID 1.3.6.1.5.5.2"]} The only way I've found to match the expectations of the backend server is to pass the It's entirely possible that I've completely misunderstood and have got it all wrong. |
Just a comment, |
Hashicorp are taking ownership of the project I was trying to use this with and have published some alternate code using import requests
service = "HTTP@vault.domain"
rc, vc = kerberos.authGSSClientInit(service=service, mech_oid=kerberos.GSS_MECH_OID_SPNEGO)
kerberos.authGSSClientStep(vc, "")
kerberos_token = kerberos.authGSSClientResponse(vc)
r = requests.post("https://vault.domain:8200/v1/auth/kerberos/login",
json={'authorization': 'Negotiate ' + kerberos_token}) |
Add support for passing an explicit mech through to gssapi's `SecurityContext` constructor. This allows overriding the auto-detected mechanism, and enabling support for RFC4178 SPNEGO. Fixes pythongssapi#18
gssapi has recently added support for SPNEGO from RFC4178 (pythongssapi/python-gssapi@2347e3f), but to use this it seems an explicit mech must be passed into the
SecurityContext
constructor.HTTPSPNEGO
doesn't currently provide a way for the caller to specify an explicit mech, and gssapi's autodetection may not pick the desired variant in all cases.The text was updated successfully, but these errors were encountered: