Low-Level API 

Raises:

canonicalize_name(name: Name, mech: gssapi.raw.oids.OID) → Name[source]

Canonicalize an arbitrary GSSAPI Name into a Mechanism Name

This method turns any GSSAPI name into a “mechanism name” – a full form name specific to a mechanism.

Parameters:

name (Name) – the name to canonicalize
mech (MechType) – the mechanism type to use to canonicalize the name

Returns:

a canonicalized version of the input name

Return type:

Name

Raises:

duplicate_name(name: Name) → Name[source]

Duplicate a GSSAPI name.

Parameters:: name (Name) – the name to duplicate
Returns:: a duplicate of the input name
Return type:: Name
Raises:: BadNameError –

release_name(name: Name) → None[source]

Release a GSSAPI name.

This method frees a GSSAPI Name. You probably won’t have to do this.

Warning

This method is deprecated. Names are automatically freed by Python.

Parameters:: name (Name) – the name in question
Raises:: BadNameError –

Credentials

class Creds[source]: GSSAPI Credentials

acquire_cred(name: gssapi.raw.names.Name | None, lifetime: int | None = None, mechs: Iterable[gssapi.raw.oids.OID] | None = None, usage: str = 'both') → gssapi.raw.named_tuples.AcquireCredResult[source]

Get GSSAPI credentials for the given name and mechanisms.

This method gets GSSAPI credentials corresponding to the given name and mechanims. The desired TTL and usage for the the credential may also be specified.

Parameters:

name (Name) – the name for which to acquire the credentials (or None for the “no name” functionality)
lifetime (int) – the lifetime in seconds for the credentials (or None for indefinite)
mechs (MechType) – the desired mechanisms for which the credentials should work, or None for the default set
usage (str) – the usage type for the credentials: may be ‘initiate’, ‘accept’, or ‘both’

Returns:

the resulting credentials, the actual mechanisms with which they may be used, and their actual lifetime in seconds (or None for indefinite or not supported)

Return type:

Raises:

release_cred(creds: Creds) → None[source]

release_cred(creds) Release GSSAPI Credentials.

This method releases GSSAPI credentials.

Warning

This method is deprecated. Credentials are automatically freed by Python.

Parameters:: creds (Creds) – the credentials in question
Raises:: MissingCredentialsError –

add_cred(input_cred: Creds, name: gssapi.raw.names.Name, mech: gssapi.raw.oids.OID, usage: str = 'initiate', init_lifetime: int | None = None, accept_lifetime: int | None = None, mutate_input: bool = False) → gssapi.raw.named_tuples.AddCredResult[source]

Add a credential element to a credential.

This method can be used to either compose two credentials (i.e., original and new credential), or to add a new element to an existing credential.

Parameters:

input_cred (Creds) – the set of credentials to which to add the new credentials
name (Name) – name of principal to acquire a credential for
mech (MechType) – the desired security mechanism (required).
usage (str) – usage type for credentials. Possible values: ‘initiate’ (default), ‘accept’, ‘both’ (failsafe).
init_lifetime (int) – lifetime of credentials for use in initiating security contexts in seconds (None for indefinite)
accept_lifetime (int) – lifetime of credentials for use in accepting security contexts in seconds (None for indefinite)
mutate_input (bool) – whether to mutate the input credentials (True) or produce a new set of credentials (False). Defaults to False

Returns:

the actual mechanisms with which the credentials may be used, the actual initiator TTL, and the actual acceptor TTL (None for either indefinite or not supported). Note that the credentials may be set to None if mutate_input is set to True.

Return type:

AddCredResult

Raises:

inquire_cred(creds: Creds, name: bool = True, lifetime: bool = True, usage: bool = True, mechs: bool = True) → gssapi.raw.named_tuples.InquireCredResult[source]

Inspect credentials for information.

This method inspects a Creds object for information.

Parameters:

creds (Creds) – the credentials to inspect
name (bool) – get the Name associated with the credentials
lifetime (bool) – get the TTL for the credentials
usage (bool) – get the usage type of the credentials
mechs (bool) – the mechanims used with the credentials

Returns:

the information about the credentials, with unused fields set to None

Return type:

InquireCredResult

Raises:

inquire_cred_by_mech(creds: Creds, mech: gssapi.raw.oids.OID, name: bool = True, init_lifetime: bool = True, accept_lifetime: bool = True, usage: bool = True) → gssapi.raw.named_tuples.InquireCredByMechResult[source]

Inspect credentials for mechanism-specific information.

This method inspects a Creds object for information specific to a particular mechanism. It functions similarly to inquire_cred().

Parameters:

creds (Creds) – the credentials to inspect
mech (OID) – the desired mechanism
name (bool) – get the Name associated with the credentials
init_lifetime (bool) – get the initiator TTL for the credentials (in seconds)
accept_lifetime (bool) – get the acceptor TTL for the credentials (in seconds)
usage (bool) – get the usage type of the credentials

Returns:

the information about the credentials, with unused fields set to None

Return type:

InquireCredByMechResult

Raises:

MissingCredentialsError –
InvalidCredentialsError –

Security Contexts

class SecurityContext[source]: A GSSAPI Security Context

init_sec_context(name: gssapi.raw.names.Name, creds: gssapi.raw.creds.Creds | None = None, context: SecurityContext | None = None, mech: gssapi.raw.oids.OID | None = None, flags: int | gssapi.raw.types.RequirementFlag | Iterable[int] | Iterable[gssapi.raw.types.RequirementFlag] | None = None, lifetime: int | None = None, channel_bindings: gssapi.raw.chan_bindings.ChannelBindings | None = None, input_token: bytes | None = None) → gssapi.raw.named_tuples.InitSecContextResult[source]

Initiate a GSSAPI security context.

This method initiates a GSSAPI security context, targeting the given target name. To create a basic context, just provide the target name. Further calls used to update the context should pass in the output context of the last call, as well as the input token received from the acceptor.

Warning

This changes the input context!

Parameters:

target_name (Name) – the target for the security context
creds (Creds) – the credentials to use to initiate the context, or None to use the default credentials
context (SecurityContext) – the security context to update, or None to create a new context
mech (MechType) – the mechanism type for this security context, or None for the default mechanism type
flags (list) – the flags to request for the security context, or None to use the default set: mutual_authentication and out_of_sequence_detection. This may also be an IntEnumFlagSet
lifetime (int) – the request lifetime of the security context in seconds (a value of 0 or None means indefinite)
channel_bindings (ChannelBindings) – The channel bindings (or None for no channel bindings)
input_token (bytes) – the token to use to update the security context, or None if you are creating a new context

Returns:

the output security context, the actual mech type, the actual flags used, the output token to send to the acceptor, the actual lifetime of the context in seconds (or None if not supported or indefinite), and whether or not more calls are needed to finish the initiation.

Return type:

InitSecContextResult

Raises:

accept_sec_context(input_token: bytes, acceptor_creds: gssapi.raw.creds.Creds | None = None, context: SecurityContext | None = None, channel_bindings: gssapi.raw.chan_bindings.ChannelBindings | None = None) → gssapi.raw.named_tuples.AcceptSecContextResult[source]

Accept a GSSAPI security context.

This method accepts a GSSAPI security context using a token sent by the initiator, using the given credentials. It can either be used to accept a security context and create a new security context object, or to update an existing security context object.

Warning

This changes the input context!

Parameters:

input_token (bytes) – the token sent by the context initiator
acceptor_creds (Creds) – the credentials to be used to accept the context (or None to use the default credentials)
context (SecurityContext) – the security context to update (or None to create a new security context object)
channel_bindings (ChannelBindings) – The channel bindings (or None for no channel bindings)

Returns:

the resulting security context, the initiator name, the mechanism being used, the output token, the flags in use, the lifetime of the context in seconds (or None for indefinite or not supported), the delegated credentials (valid only if the delegate_to_peer flag is set), and whether or not further token exchanges are needed to finalize the security context.

Return type:

AcceptSecContextResult

Raises:

inquire_context(context: SecurityContext, initiator_name: bool = True, target_name: bool = True, lifetime: bool = True, mech: bool = True, flags: bool = True, locally_init: bool = True, complete: bool = True) → gssapi.raw.named_tuples.InquireContextResult[source]

Get information about a security context.

This method obtains information about a security context, including the initiator and target names, as well as the TTL, mech, flags, and its current state (open vs closed).

Note

the target name may be None if it would have been GSS_C_NO_NAME

Parameters:: context (SecurityContext) – the context in question
Returns:: the initiator name, the target name, the TTL (can be None for indefinite or not supported), the mech type, the flags, whether or not the context was locally initiated, and whether or not the context is currently fully established
Return type:: InquireContextResult
Raises:: MissingContextError –

context_time(context: SecurityContext) → int[source]

Get the amount of time for which the given context will remain valid.

This method determines the amount of time for which the given security context will remain valid. An expired context will give a result of 0.

Parameters:

context (SecurityContext) – the security context in question

Returns:

the number of seconds for which the context will be valid

Return type:

Raises:

ExpiredContextError –
MissingContextError –

process_context_token(context: SecurityContext, token: bytes) → None[source]

Process a token asynchronously.

This method provides a way to process a token, even if the given security context is not expecting one. For example, if the initiator has the initSecContext return that the context is complete, but the acceptor is unable to accept the context, and wishes to send a token to the initiator, letting the initiator know of the error.

Warning

This method has been essentially deprecated by RFC 2744.

Parameters:

context (SecurityContext) – the security context against which to process the token
token (bytes) – the token to process

Raises:

InvalidTokenError –
MissingContextError –

import_sec_context(token: bytes) → SecurityContext[source]

Import a context from another process.

This method imports a security context established in another process by reading the specified token which was output by export_sec_context().

Raises:

export_sec_context(context: SecurityContext) → bytes[source]

Export a context for use in another process.

This method exports a security context, deactivating in the current process and creating a token which can then be imported into another process with import_sec_context().

Warning: this modifies the input context

Parameters:

context (SecurityContext) – the context to send to another process

Returns:

the output token to be imported

Return type:

Raises:

delete_sec_context(context: SecurityContext, local_only: bool = True) → bytes[source]

Delete a GSSAPI security context.

This method deletes a GSSAPI security context, returning an output token to send to the other holder of the security context to notify them of the deletion.

Note

This method generally should not be used. SecurityContext objects will automatically be freed by Python.

Parameters:

context (SecurityContext) – the security context in question
local_only (bool) – should we request local deletion (True), or also remote deletion (False), in which case a token is also returned

Returns:

the output token (if remote deletion is requested). Generally: this is None, but bytes for compatibility.

Return type:

Raises:

MissingContextError –

get_mic(context: gssapi.sec_contexts.SecurityContext, message: bytes, qop: int | None = None) → bytes[source]

Generate a MIC for a message.

This method generates a Message Integrity Check token for the given message. This can be separately trasmitted to the other entity, unlike wrap, which bundles the MIC and the message together.

Parameters:

context (SecurityContext) – the current security context
message (bytes) – the message for which to generate the MIC
qop (int) – the requested Quality of Protection (or None to use the default)

Returns:

the generated MIC token

Return type:

Raises:

verify_mic(context: gssapi.sec_contexts.SecurityContext, message: bytes, token: bytes) → int[source]

Verify that a MIC matches a message.

This method verifies that the given MIC matches the given message. If the MIC does not match the given message, an exception will be raised.

Parameters:

context (SecurityContext) – the current security context
message (bytes) – the message in question
token (bytes) – the MIC token in question

Returns:

the QoP used.

Return type:

Raises:

wrap_size_limit(context: gssapi.sec_contexts.SecurityContext, output_size: int, confidential: bool = True, qop: int | None = None) → int[source]

Calculate the max message size.

This method calculates the unwrapped/unencrypted message size for the given maximum wrapped/encrypted message size.

Parameters:

context (SecurityContext) – the current security context
output_size (int) – the maximum desired wrapped/encrypted message size
confidential (bool) – whether or not confidentiality is being used
qop (int) – the QoP that will be when you actually call wrap (or None for the default QoP)

Returns:

the maximum unencrypted/unwrapped message size

Return type:

Raises:

wrap(context: gssapi.sec_contexts.SecurityContext, message: bytes, confidential: bool = True, qop: int | None = None) → gssapi.raw.named_tuples.WrapResult[source]

Wrap/Encrypt a message.

This method wraps or encrypts a message (depending on the value of confidential) with the given Quality of Protection.

Parameters:

context (SecurityContext) – the current security context
message (bytes) – the message to wrap or encrypt
confidential (bool) – whether or not to encrypt the message (True), or just wrap it with a MIC (False)
qop (int) – the desired Quality of Protection (or None for the default QoP)

Returns:

the wrapped/encrypted message, and whether or not: encryption was actually used

Return type:

WrapResult

Raises:

unwrap(context: gssapi.sec_contexts.SecurityContext, message: bytes) → gssapi.raw.named_tuples.UnwrapResult[source]

Unwrap/Decrypt a message.

This method unwraps or decrypts a message, depending on whether the sender used confidentiality.

Parameters:

context (SecurityContext) – the current security context
message (bytes) – the message to unwrap/decrypt

Returns:

the unwrapped/decrypted message, whether or on: encryption was used, and the QoP used

Return type:

UnwrapResult

Raises:

Misc

class OID[source]

A GSSAPI OID

A new OID may be created by passing the elements argument to the constructor. The elements argument should be a bytes consisting of the BER-encoded values in the OID.

To retrieve the underlying bytes, use the bytes function in Python 3.

This object is hashable, and may be compared using equality operators.

classmethod from_int_seq(integer_sequence: str | Iterable[int]) → OID[source]

Create a OID from a sequence of integers.

This method creates an OID from a sequence of integers. The sequence can either be in dotted form as a string, or in list form.

This method is not for BER-encoded byte strings, which can be passed directly to the OID constructor.

Parameters:: integer_sequence – either a list of integers or a string in dotted form
Returns:: the OID represented by the given integer sequence
Return type:: OID
Raises:: ValueError – the sequence is less than two elements long

property dotted_form: str[source]

class Name[source]: A GSSAPI Name

class OID[source]

A GSSAPI OID

A new OID may be created by passing the elements argument to the constructor. The elements argument should be a bytes consisting of the BER-encoded values in the OID.

To retrieve the underlying bytes, use the bytes function in Python 3.

This object is hashable, and may be compared using equality operators.

classmethod from_int_seq(integer_sequence: str | Iterable[int]) → OID[source]

Create a OID from a sequence of integers.

This method creates an OID from a sequence of integers. The sequence can either be in dotted form as a string, or in list form.

This method is not for BER-encoded byte strings, which can be passed directly to the OID constructor.

Parameters:: integer_sequence – either a list of integers or a string in dotted form
Returns:: the OID represented by the given integer sequence
Return type:: OID
Raises:: ValueError – the sequence is less than two elements long

property dotted_form: str

class MechType[source]

GSSAPI Mechanism Types

This enum-like object contains any mechanism OID values registered by imported mechanisms.

kerberos: gssapi.raw.oids.OID

indicate_mechs() → Set[gssapi.raw.oids.OID][source]

Get the currently supported mechanisms.

This method retrieves the currently supported GSSAPI mechanisms. Note that if unknown mechanims are found, those will be skipped.

inquire_names_for_mech(mech: gssapi.raw.oids.OID) → Set[gssapi.raw.oids.OID][source]

inquire_names_for_mech(mech) Get the name types supported by a mechanism.

This method retrieves the different name types supported by the given mechanism.

Parameters:: mech (OID) – the mechanism in question
Returns:: the name type OIDs supported by the given mechanism
Return type:: list
Raises:: GSSError –

inquire_mechs_for_name(name: gssapi.raw.names.Name) → Set[gssapi.raw.oids.OID][source]

inquire_mechs_for_name(name) List the mechanisms which can process a name.

This method lists the mechanisms which may be able to process the given name.

Parameters:: name (Name) – the name in question
Returns:: The mechanism OIDs able to process the given name
Raises:: GSSError –

exception GSSError(maj_code: int, min_code: int, token: bytes | None = None)[source]

A GSSAPI Error

This Exception represents an error returned from the GSSAPI C bindings. It contains the major and minor status codes returned by the method which caused the error, and can generate human-readable string messages from the error codes

maj_code: int[source]

min_code: int[source]

token: bytes | None[source]

calling_code: int[source]

routine_code: int[source]

supplementary_code: int[source]

get_all_statuses(code: int, is_maj: bool) → List[str][source]

Retrieve all messages for a status code.

This method retrieves all human-readable messages available for the given status code.

Parameters:

code – the status code in question
is_maj – whether this is a major status code (True) or minor status code (False)

Returns:

A list of string messages associated with the: given code

Return type:

[str]

gen_message() → str[source]

Retrieves all messages for this error’s status codes

This method retrieves all messages for this error’s status codes, and forms them into a string for use as an exception message

Returns:: a string for use as this error’s message
Return type:: str

class NameType[source]

GSSAPI Name Types

This enum-like object represents GSSAPI name types (to be used with import_name(), etc)

anonymous: gssapi.raw.oids.OID = Ellipsis[source]

export: gssapi.raw.oids.OID = Ellipsis[source]

hostbased_service: gssapi.raw.oids.OID = Ellipsis[source]

machine_uid: gssapi.raw.oids.OID = Ellipsis[source]

string_uid: gssapi.raw.oids.OID = Ellipsis[source]

user: gssapi.raw.oids.OID = Ellipsis[source]

composite_export: gssapi.raw.oids.OID = Ellipsis[source]

kerberos_principal: gssapi.raw.oids.OID = Ellipsis[source]

krb5_nt_principal_name: gssapi.raw.oids.OID = Ellipsis[source]

class RequirementFlag[source]

GSSAPI Requirement Flags

This IntEnum represents flags used with the SecurityContext-related methods (e.g. init_sec_context())

The numbers behind the values correspond directly to their C counterparts.

delegate_to_peer = 1[source]

mutual_authentication = 2[source]

replay_detection = 4[source]

out_of_sequence_detection = 8[source]

confidentiality = 16[source]

integrity = 32[source]

anonymity = 64[source]

protection_ready = 128[source]

transferable = 256[source]

channel_bound = 2048[source]

dce_style = 4096[source]

identify = 8192[source]

extended_error = 16384[source]

ok_as_delegate = 32768[source]

class AddressType[source]

GSSAPI Channel Bindings Address Types

This IntEnum represents the various address types used with the ChannelBindings structure.

The numbers behind the values correspond directly to their C counterparts. There is no value for GSS_C_AF_UNSPEC, since this is represented by None.

local = 1[source]

ip = 2[source]

arpanet = 3[source]

pup = 4[source]

chaos = 5[source]

xerox_ns = 6[source]

nbs = 7[source]

ecma = 8[source]

datakit = 9[source]

ccitt = 10[source]

ibm_sna = 11[source]

decnet = 12[source]

dli = 13[source]

lat = 14[source]

hyperchannel = 15[source]

appletalk = 16[source]

bisync = 17[source]

dss = 18[source]

osi_tp4 = 19[source]

x25 = 21[source]

null = 255[source]

class MechType[source]

GSSAPI Mechanism Types

This enum-like object contains any mechanism OID values registered by imported mechanisms.

kerberos: gssapi.raw.oids.OID[source]

class GenericFlagSet(flags: GenericFlagSet | numbers.Integral | int | None = None)[source]

A set backed by a 32-bit integer

This is a set backed by a 32 bit integer. the members are integers where only one bit is set.

The class supports normal set operations, as well as traditional “flag set” operations, such as bitwise AND, OR, and XOR.

MAX_VAL: int[source]

add(flag: int) → None[source]: Add an element.

discard(flag: int) → None[source]: Remove an element. Do not raise an exception if absent.

class IntEnumFlagSet(enum: Type[enum.IntEnum], flags: GenericFlagSet | numbers.Integral | int | None = None)[source]

A set backed by a 32-bit integer with enum members

This class is a GenericFlagSet where the returned members are values in an IntEnum.

It functions exactly like a GenericFlagSet, except that it also supports bitwise operations with the enum values.

GSSAPI Channel Bindings

This class represents a set of GSSAPI channel bindings.

Parameters:

initiator_address_type – the initiator address type
initiator_address – the initiator address
acceptor_address_type – the acceptor address type
acceptor_address – the acceptor address
application_data – additional application-specific data

initiator_address_type: int | None[source]

initiator_address: bytes | None[source]

acceptor_address_type: int | None[source]

acceptor_address: bytes | None[source]

application_data: bytes | None[source]

Additional RFCs and Extensions

The following is a list of GSSAPI extensions supported by the low-level API.

Note

While all of these extensions have bindings, they may not be supported by your particularly GSSAPI implementation. In this case, they will not be compiled, and will simply not be available in the gssapi.raw namespace.

RFC 4178 (GSS-API Negotiation Mechanism)

set_neg_mechs(cred_handle: gssapi.raw.creds.Creds, mech_set: Iterable[gssapi.raw.oids.OID]) → None[source]

Specify the set of security mechanisms that may be negotiated with the credential identified by cred_handle. If more than one mechanism is specified in mech_set, the order in which those mechanisms are specified implies a relative preference.

Parameters:

cred_handle (Creds) – credentials to set negotiable mechanisms for
mech_set (MechType) – negotiable mechanisms to be set

Returns:

None

Raises:

RFC 5587 (GSS-API Extension for Mech Attributes)

indicate_mechs_by_attrs(desired_mech_attrs: Iterable[gssapi.raw.oids.OID] | None = None, except_mech_attrs: Iterable[gssapi.raw.oids.OID] | None = None, critical_mech_attrs: Iterable[gssapi.raw.oids.OID] | None = None) → Set[gssapi.raw.oids.OID][source]

Get a set of mechanisms that have the specified attributes.

Parameters:

desired_mech_attrs (OID) – Attributes that the output mechs MUST offer
except_mech_attrs (OID) – Attributes that the output mechs MUST NOT offer
critical_mech_attrs (OID) – Attributes that the output mechs MUST understand and offer

Returns:

a set of mechs which satisfy the given criteria

Return type:

MechType

Raises:

inquire_attrs_for_mech(mech: gssapi.raw.oids.OID) → gssapi.raw.named_tuples.InquireAttrsResult[source]

Gets the set of attrs supported and known by a mechanism.

Parameters:: mech (MechType) – Mechanism to inquire about
Returns:: the results of inquiry; a mech’s attributes and known attributes
Return type:: InquireAttrsResult
Raises:: GSSError –

display_mech_attr(attr: gssapi.raw.oids.OID) → gssapi.raw.named_tuples.DisplayAttrResult[source]

Returns information about attributes in human readable form.

Parameters:: attr (OID) – Mechanism attribute to retrieve names and descriptions of
Returns:: the results of displaying the attribute; mech name, short description, and long description.
Return type:: DisplayAttrResult
Raises:: GSSError –

RFC 5588 (GSS-API Extension for Storing Delegated Credentials)

store_cred(creds: gssapi.raw.creds.Creds, usage: str = 'both', mech: gssapi.raw.oids.OID | None = None, overwrite: bool = False, set_default: bool = False) → gssapi.raw.named_tuples.StoreCredResult[source]

Store credentials into the default store.

This method stores the given credentials into the default store. They may then be retrieved later using acquire_cred().

Parameters:

creds (Creds) – the credentials to store
usage (str) – the usage to store the credentials with – either ‘both’, ‘initiate’, or ‘accept’
mech (OID) – the mechansim to associate with the stored credentials
overwrite (bool) – whether or not to overwrite existing credentials stored with the same name, etc
set_default (bool) – whether or not to set these credentials as the default credentials for the given store.

Returns:

the results of the credential storing operation

Return type:

StoreCredResult

Raises:

RFC 5801 (GSS-API SASL Extensions)

inquire_saslname_for_mech(mech: gssapi.raw.oids.OID) → gssapi.raw.named_tuples.InquireSASLNameResult[source]

Gets information about a specified mech, including the SASL name, the mech name, and the mech description.

Parameters:: mech (OID) – Mechanism to inquire about
Returns:: the results of inquiry; a mech’s SASL name, name, and description.
Return type:: InquireSASLNameResult
Raises:: GSSError – an unknown failure occurred

inquire_mech_for_saslname(sasl_name: bytes) → gssapi.raw.oids.OID[source]

Gets the OID for the mech specified by SASL name.

Parameters:: sasl_name (bytes) – SASL name of the mechanism
Returns:: the mechanism with corresponding SASL name.
Return type:: OID
Raises:: GSSError – An unknown failure occurred

Credential Store Extensions

Credential Store Extension

Acquire credentials from the given store.

This method acquires credentials from the store specified by the given credential store information.

The credential store information is a dictionary containing mechanisms-specific keys and values pointing to a credential store or stores.

Parameters:

store (dict) – the credential store information pointing to the credential store from which to acquire the credentials. See Common Values for Credentials Store Extensions for valid values
name (Name) – the name associated with the credentials, or None for the default name
lifetime (int) – the desired lifetime of the credentials in seconds, or None for indefinite
mechs (list) – the desired mechanisms to be used with these credentials, or None for the default set
usage (str) – the usage for these credentials – either ‘both’, ‘initiate’, or ‘accept’

Returns:

the acquired credentials and information about them

Return type:

Raises:

add_cred_from(dict_store: Dict[bytes | str, bytes | str] | None, input_creds: gssapi.raw.creds.Creds, name: gssapi.raw.names.Name, mech: gssapi.raw.oids.OID, usage: str = 'both', init_lifetime: int | None = None, accept_lifetime: int | None = None) → gssapi.raw.named_tuples.AcquireCredResult[source]

Acquire credentials to add to the current set from the given store.

This method works like acquire_cred_from(), except that it adds the acquired credentials for a single mechanism to a copy of the current set, instead of creating a new set for multiple mechanisms. Unlike acquire_cred(), you cannot pass None for the desired name or mechanism.

The credential store information is a dictionary containing mechanisms-specific keys and values pointing to a credential store or stores.

Parameters:

store (dict) – the store into which to store the credentials, or None for the default store. See Common Values for Credentials Store Extensions for valid values
name (Name) – the name associated with the credentials
mech (OID) – the desired mechanism to be used with these credentials
usage (str) – the usage for these credentials – either ‘both’, ‘initiate’, or ‘accept’
init_lifetime (int) – the desired initiate lifetime of the credentials in seconds, or None for indefinite
accept_lifetime (int) – the desired accept lifetime of the credentials in seconds, or None for indefinite

Returns:

the new credentials set and information about it

Return type:

Raises:

store_cred_into(dict_store: Dict[bytes | str, bytes | str] | None, creds: gssapi.raw.creds.Creds, usage: str = 'both', mech: gssapi.raw.oids.OID | None = None, overwrite: bool = False, set_default: bool = False) → gssapi.raw.named_tuples.StoreCredResult[source]

Store credentials into the given store.

This method stores the given credentials into the store specified by the given store information. They may then be retrieved later using acquire_cred_from() or add_cred_from().

The credential store information is a dictionary containing mechanisms-specific keys and values pointing to a credential store or stores.

Parameters:

store (dict) – the store into which to store the credentials, or None for the default store. See Common Values for Credentials Store Extensions for valid values
creds (Creds) – the credentials to store
usage (str) – the usage to store the credentials with – either ‘both’, ‘initiate’, or ‘accept’
mech (OID) – the mechansim to associate with the stored credentials
overwrite (bool) – whether or not to overwrite existing credentials stored with the same name, etc
set_default (bool) – whether or not to set these credentials as the default credentials for the given store.

Returns:

the results of the credential storing operation

Return type:

StoreCredResult

Raises:

RFC 6680 (GSS-API Naming Extensions)

display_name_ext(name: gssapi.raw.names.Name, name_type: gssapi.raw.oids.OID) → bytes[source]

Display the given Name using the given name type.

This method attempts to display the given Name using the syntax of the given name type. If this is not possible, an appropriate error will be raised.

Parameters:

name (Name) – the name to display
name_type (OID) – the name type (see NameType) to use to display the given name

Returns:

the displayed name

Return type:

Raises:

OperationUnavailableError – the given name could not be displayed using the given name type

inquire_name(name: gssapi.raw.names.Name, mech_name: bool = True, attrs: bool = True) → gssapi.raw.named_tuples.InquireNameResult[source]

Get information about a Name.

This method retrieves information about the given name, including the set of attribute names for the given name, as well as whether or not the name is a mechanism name. Additionally, if the given name is a mechanism name, the associated mechansim is returned as well.

Parameters:

name (Name) – the name about which to inquire
mech_name (bool) – whether or not to retrieve if this name is a mech_name (and the associate mechanism)
attrs (bool) – whether or not to retrieve the attribute name list

Returns:

the set of attribute names for the given name, whether or not the name is a Mechanism Name, and potentially the associated mechanism if it is a Mechanism Name

Return type:

InquireNameResult

Raises:

set_name_attribute(name: gssapi.raw.names.Name, attr: bytes, value: Iterable[bytes], complete: bool = False) → None[source]

Set the value(s) of a name attribute.

This method sets the value(s) of the given attribute on the given name.

Note that this functionality more closely matches the pseudo-API presented in RFC 6680, not the C API (which uses multiple calls to add multiple values). However, multiple calls to this method will continue adding values, so delete_name_attribute() must be used in between calls to “clear” the values.

Parameters:

name (Name) – the Name on which to set the attribute
attr (bytes) – the name of the attribute
value (list) – a list of bytes objects to use as the value(s)
complete (bool) – whether or not to mark this attribute’s value set as being “complete”

Raises:

OperationUnavailableError – the given attribute name is unknown or could not be set

get_name_attribute(name: gssapi.raw.names.Name, attr: bytes, more: int | None = None) → gssapi.raw.named_tuples.GetNameAttributeResult[source]

Get the value(s) of a name attribute.

This method retrieves the value(s) of the given attribute for the given Name.

Note that this functionality matches pseudo-API presented in RFC 6680, not the C API (which uses a state variable and multiple calls to retrieve multiple values).

Parameters:

name (Name) – the Name from which to get the attribute
attr (bytes) – the name of the attribute

Returns:

the raw version of the value(s), the human-readable version of the value(s), whether or not the attribute was authenticated, and whether or not the attribute’s value set was marked as complete

Return type:

GetNameAttributeResult

Raises:

OperationUnavailableError – the given attribute is unknown or unset

delete_name_attribute(name: gssapi.raw.names.Name, attr: bytes) → None[source]

Remove an attribute from a name.

This method removes an attribute from a Name. This method may be used before set_name_attribute() clear the values of an attribute before setting a new value (making the latter method work like a ‘set’ operation instead of an ‘add’ operation).

Note that the removal of certain attributes may not be allowed.

Parameters:

name (Name) – the name to remove the attribute from
attr (bytes) – the name of the attribute

Raises:

OperationUnavailableError –
UnauthorizedError –

export_name_composite(name: gssapi.raw.names.Name) → bytes[source]

Export a name, preserving attribute information.

This method functions similarly to export_name(), except that it preserves attribute information. The resulting bytes may be imported using import_name() with the composite_export name type.

Note

Some versions of MIT Kerberos require you to either canonicalize a name once it has been imported with composite-export name type, or to import using the normal export name type.

Parameters:: name (Name) – the name to export
Returns:: the exported composite name
Return type:: bytes
Raises:: GSSError –

Credentials Import-Export Extensions

Credentials Import/Export Extension

export_cred(creds: gssapi.raw.creds.Creds) → bytes[source]

Export GSSAPI credentials.

This method exports GSSSAPI credentials into a token which may be transmitted between different processes.

Parameters:: creds (Creds) – the credentials object to be exported
Returns:: the exported token representing the given credentials object
Return type:: bytes
Raises:: GSSError –

import_cred(token: bytes) → gssapi.raw.creds.Creds[source]

Import GSSAPI credentials from a token.

This method imports a credentials object from a token previously exported by export_cred().

Parameters:: token (bytes) – the token to import
Returns:: the imported credentials object
Return type:: Creds
Raises:: GSSError –

DCE (IOV/AEAD) Extensions

wrap_aead(context: gssapi.raw.sec_contexts.SecurityContext, message: bytes, associated: bytes | None = None, confidential: bool = True, qop: int | None = None) → gssapi.raw.named_tuples.WrapResult[source]

Wrap/Encrypt an AEAD message.

This method takes an input message and associated data, and outputs and AEAD message.

Parameters:

context (SecurityContext) – the current security context
message (bytes) – the message to wrap or encrypt
associated (bytes) – associated data to go with the message
confidential (bool) – whether or not to encrypt the message (True), or just wrap it with a MIC (False)
qop (int) – the desired Quality of Protection (or None for the default QoP)

Returns:

the wrapped/encrypted total message, and whether or not encryption was actually used

Return type:

WrapResult

Raises:

unwrap_aead(context: gssapi.raw.sec_contexts.SecurityContext, message: bytes, associated: bytes | None = None) → gssapi.raw.named_tuples.UnwrapResult[source]

Unwrap/Decrypt an AEAD message.

This method takes an encrpyted/wrapped AEAD message and some associated data, and returns an unwrapped/decrypted message.

Parameters:

context (SecurityContext) – the current security context
message (bytes) – the AEAD message to unwrap or decrypt
associated (bytes) – associated data that goes with the message

Returns:

the unwrapped/decrypted message, whether or on encryption was used, and the QoP used

Return type:

UnwrapResult

Raises:

class IOVBufferType[source]

IOV Buffer Types

This IntEnum represent GSSAPI IOV buffer types to be used with the IOV methods.

The numbers behind the values correspond directly to their C counterparts.

empty = 0[source]

data = 1[source]

header = 2[source]

mech_params = 3[source]

trailer = 7[source]

padding = 9[source]

stream = 10[source]

sign_only = 11[source]

mic_token = 12[source]

class IOVBuffer[source]

type: IOVBufferType[source]

allocate: bool | None[source]

value: bytes | None[source]

A GSSAPI IOV

index(value: Any) → int[source]

count(value: Any) → int[source]

wrap_iov(context: gssapi.raw.sec_contexts.SecurityContext, message: IOV, confidential: bool = True, qop: int | None = None) → bool[source]

Wrap/Encrypt an IOV message.

This method wraps or encrypts an IOV message. The allocate parameter of the IOVBuffer objects in the IOV indicates whether or not that particular buffer should be automatically allocated (for use with padding, header, and trailer buffers).

Warning

This modifies the input IOV.

Parameters:

context (SecurityContext) – the current security context
message (IOV) – an IOV containing the message
confidential (bool) – whether or not to encrypt the miovessage (True), or just wrap it with a MIC (False)
qop (int) – the desired Quality of Protection (or None for the default QoP)

Returns:

whether or not confidentiality was actually used

Return type:

bool

Raises:

unwrap_iov(context: gssapi.raw.sec_contexts.SecurityContext, message: IOV) → gssapi.raw.named_tuples.IOVUnwrapResult[source]

Unwrap/Decrypt an IOV message.

This method uwraps or decrypts an IOV message. The allocate parameter of the IOVBuffer objects in the IOV indicates whether or not that particular buffer should be automatically allocated (for use with padding, header, and trailer buffers).

As a special case, you may pass an entire IOV message as a single ‘stream’. In this case, pass a buffer type of IOVBufferType.stream followed by a buffer type of IOVBufferType.data. The former should contain the entire IOV message, while the latter should be empty.

Warning

This modifies the input IOV.

Parameters:

context (SecurityContext) – the current security context
message (IOV) – an IOV containing the message

Returns:

whether or not confidentiality was used, and the QoP used.

Return type:

IOVUnwrapResult

Raises:

wrap_iov_length(context: gssapi.raw.sec_contexts.SecurityContext, message: IOV, confidential: bool = True, qop: int | None = None) → gssapi.raw.named_tuples.WrapResult[source]

Appropriately size padding, trailer, and header IOV buffers.

This method sets the length values on the IOV buffers. You should already have data provided for the data (and sign-only) buffer(s) so that padding lengths can be appropriately computed.

In Python terms, this will result in an appropriately sized bytes object consisting of all zeros.

Warning

This modifies the input IOV.

Parameters:

context (SecurityContext) – the current security context
message (IOV) – an IOV containing the message

Returns:

a list of :class:IOVBuffer` objects, and whether or not encryption was actually used

Return type:

WrapResult

Raises:

IOV MIC Extensions

get_mic_iov(context: gssapi.raw.sec_contexts.SecurityContext, message: gssapi.raw.ext_dce.IOV, qop: int | None = None) → None[source]

Generate MIC tokens for the given IOV message.

This method generates a MIC token for the given IOV message, and places it in the mic_token buffer in the IOV. This method operates entirely in-place, and returns nothing.

Warning

This modifies the input IOV.

Parameters:

context (SecurityContext) – the current security context
message (IOV) – the IOV containing the message
qop (int) – the desired Quality of Protection (or None for the default QoP)

Returns:

None

Raises:

get_mic_iov_length(context: gssapi.raw.sec_contexts.SecurityContext, message: gssapi.raw.ext_dce.IOV, qop: int | None = None) → None[source]

Allocate space for the MIC buffer in the given IOV message.

This method allocates space for the MIC token buffer (mic_token) in the given IOV message.

Warning

This modifies the input IOV.

Parameters:

context (SecurityContext) – the current security context
message (IOV) – the IOV containing the message
qop (int) – the desired Quality of Protection (or None for the default QoP)

Returns:

None

Raises:

verify_mic_iov(context: gssapi.raw.sec_contexts.SecurityContext, message: gssapi.raw.ext_dce.IOV, qop: int | None = None) → int[source]

Verify that the MIC matches the data in the given IOV message.

This method verifies that the MIC token in the MIC buffer (mic_token) match the data buffer(s) in the given IOV method.

Parameters:

context (SecurityContext) – the current security context
message (IOV) – the IOV containing the message

Returns:

the QoP used to generate the MIC token

Return type:

Raises:

Global Grid Forum (GGF) Extensions

GGF Extensions

GGF provides extended credential and security context inquiry that allows application to retrieve more information about the client’s credentials and security context. One common use case is to use inquire_sec_context_by_oid() to retrieve the “session” key that is required by the SMB protocol for signing and encrypting a message.

Draft IETF document for these extensions can be found at https://tools.ietf.org/html/draft-engert-ggf-gss-extensions-00

inquire_cred_by_oid(cred_handle: gssapi.raw.creds.Creds, desired_aspect: gssapi.raw.oids.OID) → List[bytes][source]

This method inspects a Creds object for information specific to a particular desired aspect as an OID.

Parameters:

cred_handle (Creds) – the Credentials to query
desired_aspect (OID) – the desired aspect of the Credentials to inquire about.

Returns:

A list of zero or more pieces of data (as bytes objects)

Return type:

list

Raises:

inquire_sec_context_by_oid(context: gssapi.raw.sec_contexts.SecurityContext, desired_aspect: gssapi.raw.oids.OID) → List[bytes][source]

This method inspects a SecurityContext object for information specific to a particular desired aspect as an OID.

This method can be used with the GSS_KRB5_INQ_SSPI_SESSION_KEY_OID OID to retrieve the required key that is used to derive the SMB/SAMBA signing and encryption keys.

Parameters:

context (SecurityContext) – the Security Context to query
desired_aspect (OID) – the desired aspect of the Security Context to inquire about.

Returns:

A list of zero or more pieces of data (as bytes objects)

Return type:

list

Raises:

set_sec_context_option(desired_aspect: gssapi.raw.oids.OID, context: gssapi.raw.sec_contexts.SecurityContext, value: bytes | None = None) → None[source]

This method is used to set a value for a specific OID of a SecurityContext object. The OID and value to pass in depends on the mech the SecurityContext backs.

An example of how this can be used would be to reset the NTLM crypto engine used in gss-ntlmssp. The OID that controls this value is ‘1.3.6.1.4.1.7165.655.1.3’ and it takes it a byte value that represents an int32 where 1 resets the verifier handle and any other int resets the sender handle.

Parameters:

desired_aspect (OID) – the desired aspect of the Security Context to set the value for.
context (SecurityContext) – the Security Context to set, or None to create a new context.
value (bytes) – the value to set on the desired aspect of the Security Context or None to send GSS_C_EMPTY_BUFFER.

Returns:

The output security context.

Return type:

SecurityContext

Raises:

Services4User Extensions

Service4User Extension

acquire_cred_impersonate_name(impersonator_cred: gssapi.raw.creds.Creds, name: gssapi.raw.names.Name, lifetime: int | None = None, mechs: Iterable[gssapi.raw.oids.OID] | None = None, usage: str = 'initiate') → gssapi.raw.named_tuples.AcquireCredResult[source]

Acquire credentials by impersonating another name.

This method is one of the ways to use S4U2Self. It acquires credentials by impersonating another name using a set of proxy credentials. The impersonator credentials must have a usage of ‘both’ or ‘initiate’.

Parameters:

impersonator_cred (Creds) – the credentials with permissions to impersonate the target name
name (Name) – the name to impersonate
lifetime (int) – the lifetime for the credentials (or None for indefinite) in seconds
mechs (MechType) – the desired mechanisms for which the credentials should work (or None for the default set)
usage (str) – the usage type for the credentials: may be ‘initiate’, ‘accept’, or ‘both’

Returns:

the resulting credentials, the actual mechanisms with which they may be used, and their actual lifetime in seconds (or None for indefinite or not support)

Return type:

Raises:

add_cred_impersonate_name(input_cred: gssapi.raw.creds.Creds, impersonator_cred: gssapi.raw.creds.Creds, name: gssapi.raw.names.Name, mech: gssapi.raw.oids.OID, usage: str = 'initiate', init_lifetime: int | None = None, accept_lifetime: int | None = None) → gssapi.raw.named_tuples.AddCredResult[source]

Add a credentials element to a credential by impersonating another name.

This method is one of the ways to use S4U2Self. It adds credentials to the input credentials by impersonating another name using a set of proxy credentials. The impersonator credentials must have a usage of ‘both’ or ‘initiate’.

Parameters:

input_cred (Creds) – the set of credentials to which to add the new credentials
impersonator_cred (Creds) – the credentials with permissions to impersonate the target name
name (Name) – the name to impersonate
mech (MechType) – the desired mechanism. Note that this is both singular and required, unlike acquireCredImpersonateName
usage (str) – the usage type for the credentials: may be ‘initiate’, ‘accept’, or ‘both’
init_lifetime (int) – the lifetime, in seconds, for the credentials to remain valid when using them to initiate security contexts (or None for indefinite)
accept_lifetime (int) – the lifetime, in seconds, for the credentials to remain valid when using them to accept security contexts (or None for indefinite)

Returns:

the actual mechanisms with which the credentials may be used, the actual initiator TTL in seconds, and the actual acceptor TTL in seconds (the TTLs may be None for indefinite or not supported)

Return type:

AddCredResult

Raises:

Acquiring Credentials With a Password Extensions

acquire_cred_with_password(name: gssapi.raw.names.Name, password: bytes, lifetime: int | None = None, mechs: Iterable[gssapi.raw.oids.OID] | None = None, usage: str = 'initiate') → gssapi.raw.named_tuples.AcquireCredResult[source]

Acquire credentials through provided password.

This function is originally from Solaris and is not documented by either MIT or Heimdal.

In general, it functions similarly to acquire_cred().

Parameters:

name (Name) – the name to acquire credentials for
password (bytes) – the password used to acquire credentialss with
lifetime (int) – the lifetime for the credentials in seconds (or None for indefinite)
mechs (MechType) – the desired mechanisms for which the credentials should work (or None for the default set)
usage (str) – usage type for credentials. Possible values: ‘initiate’ (default), ‘accept’, ‘both’ (failsafe).

Returns:

the resulting credentials, the actual mechanisms with which they may be used, and their actual lifetime in seconds (or None for indefinite or not supported)

Return type:

Raises:

add_cred_with_password(input_cred: gssapi.raw.creds.Creds, name: gssapi.raw.names.Name, mech: gssapi.raw.oids.OID, password: bytes, usage: str = 'initiate', init_lifetime: int | None = None, accept_lifetime: int | None = None) → gssapi.raw.named_tuples.AddCredResult[source]

Add a credential-element to a credential using provided password.

This function is originally from Solaris and is not documented by either MIT or Heimdal.

In general, it functions similarly to add_cred().

Parameters:

input_cred (Creds) – the credentials to add to
name (Name) – the name to acquire credentials for
mech (MechType) – the desired mechanism. Note that this is both singular and required
password (bytes) – the password used to acquire credentialss with
usage (str) – the usage type for the credentials: may be ‘initiate’, ‘accept’, or ‘both’
init_lifetime (int) – the lifetime, in seconds, for the credentials to remain valid when using them to initiate security contexts (or None for indefinite)
accept_lifetime (int) – the lifetime, in seconds, for the credentials to remain valid when using them to accept security contexts (or None for indefinite)

Returns:

the actual mechanisms with which the credentials may be used, the actual initiator TTL in seconds, and the actual acceptor TTL in seconds (the TTLs may be None for indefinite or not supported)

Return type:

AddCredResult

Raises:

Kerberos Specific Extensions

class Krb5LucidContext[source]: The base container returned by krb5_export_lucid_sec_context() when an unknown version was requested.

class Krb5LucidContextV1[source]

Kerberos context data returned by krb5_export_lucid_sec_context() when version 1 was requested.

property version: int | None[source]

The structure version number

Returns:: the structure version number
Return type:: Optional[int]

property is_initiator: bool | None[source]

Whether the context was the initiator

Returns:: True when the exported context was the initiator
Return type:: Optional[bool]

property endtime: int | None[source]

Expiration time of the context

Returns:: the expiration time of the context
Return type:: Optional[int]

property send_seq: int | None[source]

Sender sequence number

Returns:: the sender sequence number
Return type:: Optional[int]

property recv_seq: int | None[source]

Receiver sequence number

Returns:: the receiver sequence number
Return type:: Optional[int]

property protocol: int | None[source]

The protocol number

If the protocol number is 0 then rfc1964_kd is set and cfx_kd is None. If the protocol number is 1 then the opposite is true.

Protocol 0 refers to RFC1964 and 1 refers to RFC4121.

Returns:: the protocol number
Return type:: Optional[int]

property rfc1964_kd: gssapi.raw.named_tuples.Rfc1964KeyData | None[source]

Keydata for protocol 0 (RFC1964)

This will be set when protocol is 0.

Returns:: the RFC1964 key data
Return type:: Optional[Rfc1964KeyData]

property cfx_kd: gssapi.raw.named_tuples.CfxKeyData | None[source]

Key data for protocol 1 (RFC4121)

This will be set when protocol is 1.

Returns:: the RFC4121 key data
Return type:: Optional[CfxKeyData]

krb5_ccache_name(name: bytes | None) → bytes[source]

Set the default Kerberos Protocol credentials cache name.

This method sets the default credentials cache name for use by he Kerberos mechanism. The default credentials cache is used by acquire_cred() to create a GSS-API credential. It is also used by init_sec_context() when GSS_C_NO_CREDENTIAL is specified.

Note

Heimdal does not return the old name when called. It also does not reset the ccache lookup behaviour when setting to None.

Note

The return value may not be thread safe.

Parameters:: name (Optional[bytes]) – the name to set as the new thread specific ccache name. Set to None to revert back to getting the ccache from the config/environment settings.
Returns:: the old name that was previously set
Return type:: bytes
Raises:: GSSError –

krb5_export_lucid_sec_context(context: gssapi.raw.sec_contexts.SecurityContext, version: int) → Krb5LucidContext[source]

Returns a non-opaque version of the internal context info.

Gets information about the Kerberos security context passed in. Currently only version 1 is known and supported by this library.

Note

The context handle must not be used again by the caller after this call.

Parameters:

context (SecurityContext) – the current security context
version (int) – the output structure version to export. Currently only 1 is supported.

Returns:

the non-opaque version context info

Return type:

Krb5LucidContext

Raises:

krb5_extract_authtime_from_sec_context(context: gssapi.raw.sec_contexts.SecurityContext) → int[source]

Get the auth time for the security context.

Gets the auth time for the established security context.

Note

Heimdal can only get the authtime on the acceptor security context. MIT is able to get the authtime on both initiators and acceptors.

Parameters:: context (SecurityContext) – the current security context
Returns:: the authtime
Return type:: int
Raises:: GSSError –

krb5_extract_authz_data_from_sec_context(context: gssapi.raw.sec_contexts.SecurityContext, ad_type: int) → bytes[source]

Extracts Kerberos authorization data.

Extracts authorization data that may be stored within the context.

Note

Only operates on acceptor contexts.

Parameters:

context (SecurityContext) – the current security context
ad_type (int) – the type of data to extract

Returns:

the raw authz data from the sec context

Return type:

Raises:

krb5_import_cred(cred_handle: gssapi.raw.creds.Creds, cache: int | None = None, keytab_principal: int | None = None, keytab: int | None = None) → None[source]

Import Krb5 credentials into GSSAPI credential.

Imports the krb5 credentials (either or both of the keytab and cache) into the GSSAPI credential so it can be used within GSSAPI. The ccache is copied by reference and thus shared, so if the credential is destroyed, all users of cred_handle will fail.

Parameters:

cred_handle (Creds) – the credential handle to import into
cache (int) – the krb5_ccache address pointer, as an int, to import from
keytab_principal (int) – the krb5_principal address pointer, as an int, of the credential to import
keytab (int) – the krb5_keytab address pointer, as an int, of the keytab to import

Returns:

None

Raises:

krb5_get_tkt_flags(context: gssapi.raw.sec_contexts.SecurityContext) → int[source]

Return ticket flags for the kerberos ticket.

Return the ticket flags for the kerberos ticket received when authenticating the initiator.

Note

Heimdal can only get the tkt flags on the acceptor security context. MIT is able to get the tkt flags on initiators and acceptors.

Parameters:: context (SecurityContext) – the security context
Returns:: the ticket flags for the received kerberos ticket
Return type:: int
Raises:: GSSError –

krb5_set_allowable_enctypes(cred_handle: gssapi.raw.creds.Creds, ktypes: Iterable[int]) → None[source]

Limits the keys that can be exported.

Called by a context initiator after acquiring the creds but before calling init_sec_context() to restrict the set of enctypes which will be negotiated during context establisment to those in the provided list.

Warning

The cred_handle should not be GSS_C_NO_CREDENTIAL.

Parameters:

cred_hande (Creds) – the credential handle
ktypes (List[int]) – list of enctypes allowed

Returns:

None

Raises:

Other Extensions

gss_set_cred_option

Provides a way to set options on a credential based on the OID specified. A common use case is to set the GSS_KRB5_CRED_NO_CI_FLAGS_X on a Kerberos credential. This is used for interoperability with Microsoft’s SSPI.

Note this function is commonly lumped with the GGF extensions but they are not part of the GGF IETF draft so it’s separated into it’s own file.

Closest draft IETF document for the gss_set_cred_option can be found at https://tools.ietf.org/html/draft-williams-kitten-channel-bound-flag-01

set_cred_option(desired_aspect: gssapi.raw.oids.OID, creds: gssapi.raw.creds.Creds | None = None, value: bytes | None = None) → gssapi.raw.creds.Creds[source]

This method is used to set options of a Creds object based on an OID key. The options that can be set depends on the mech the credentials were created with.

An example of how this can be used would be to set the GSS_KRB5_CRED_NO_CI_FLAGS_X on a Kerberos credential. The OID string for this flag is ‘1.2.752.43.13.29’ and it requires no value to be set. This must be set before the SecurityContext was initialised with the credentials.

Parameters:

desired_aspect (OID) – the desired aspect of the Credential to set.
cred_handle (Creds) – the Credentials to set, or None to create a new credential.
value (bytes) – the value to set on the desired aspect of the Credential or None to send GSS_C_EMPTY_BUFFER.

Returns:

The output credential.

Return type:

Creds

Raises:

Results

class AcquireCredResult(creds: gssapi.raw.creds.Creds, mechs: Set[OID], lifetime: int)[source]

Credential result when acquiring a GSSAPI credential.

Create new instance of AcquireCredResult(creds, mechs, lifetime)

creds: gssapi.raw.creds.Creds: GSSAPI credentials that were acquired

mechs: Set[OID]: Set of mechs the cred is for

lifetime: int: Number of seconds for which the cred will remain valid

class InquireCredResult(name: gssapi.raw.names.Name | None, lifetime: int | None, usage: str | None, mechs: Set[OID] | None)[source]

Information about the credential.

Create new instance of InquireCredResult(name, lifetime, usage, mechs)

name: gssapi.raw.names.Name | None: The principal associated with the credential

lifetime: int | None: Number of seconds which the cred is valid for

usage: str | None: How the credential can be used

mechs: Set[OID] | None: Set of mechs the cred is for

class InquireCredByMechResult(name: gssapi.raw.names.Name | None, init_lifetime: int | None, accept_lifetime: int | None, usage: str | None)[source]

Information about the credential for a specific mechanism.

Create new instance of InquireCredByMechResult(name, init_lifetime, accept_lifetime, usage)

name: gssapi.raw.names.Name | None: The principal associated with the credential

init_lifetime: int | None: Time valid for initiation, in seconds

accept_lifetime: int | None: Time valid for accepting, in seconds

usage: str | None: How the credential can be used

class AddCredResult(creds: gssapi.raw.creds.Creds | None, mechs: Set[OID], init_lifetime: int, accept_lifetime: int)[source]

Result of adding to a GSSAPI credential.

Create new instance of AddCredResult(creds, mechs, init_lifetime, accept_lifetime)

creds: gssapi.raw.creds.Creds | None: The credential that was generated

mechs: Set[OID]: Set of mechs the cred is for

init_lifetime: int: Time valid for initiation, in seconds

accept_lifetime: int: Time valid for accepting, in seconds

class DisplayNameResult(name: bytes, name_type: OID | None)[source]

Textual representation of a GSSAPI name.

Create new instance of DisplayNameResult(name, name_type)

name: bytes: The representation of the GSSAPI name

name_type: OID | None: The type of GSSAPI name

class WrapResult(message: bytes, encrypted: bool)[source]

Wrapped message result.

Create new instance of WrapResult(message, encrypted)

message: bytes: The wrapped message

encrypted: bool: Whether the message is encrypted and not just signed

class UnwrapResult(message: bytes, encrypted: bool, qop: int)[source]

Unwrapped message result.

Create new instance of UnwrapResult(message, encrypted, qop)

message: bytes: The unwrapped message

encrypted: bool: Whether the message was encrypted and not just signed

qop: int: The quality of protection applied to the message

class AcceptSecContextResult(context: gssapi.raw.sec_contexts.SecurityContext, initiator_name: gssapi.raw.names.Name, mech: OID, token: bytes | None, flags: RequirementFlag, lifetime: int, delegated_creds: gssapi.raw.creds.Creds | None, more_steps: bool)[source]

Result when accepting a security context by an initiator.

Create new instance of AcceptSecContextResult(context, initiator_name, mech, token, flags, lifetime, delegated_creds, more_steps)

context: gssapi.raw.sec_contexts.SecurityContext: The acceptor security context

initiator_name: gssapi.raw.names.Name: The authenticated name of the initiator

mech: OID: Mechanism with which the context was established

token: bytes | None: Token to be returned to the initiator

flags: RequirementFlag: Services requested by the initiator

lifetime: int: Seconds for which the context is valid for

delegated_creds: gssapi.raw.creds.Creds | None: Delegated credentials

more_steps: bool: More input is required to complete the exchange

class InitSecContextResult(context: gssapi.raw.sec_contexts.SecurityContext, mech: OID, flags: RequirementFlag, token: bytes | None, lifetime: int, more_steps: bool)[source]

Result when initiating a security context

Create new instance of InitSecContextResult(context, mech, flags, token, lifetime, more_steps)

context: gssapi.raw.sec_contexts.SecurityContext: The initiator security context

mech: OID: Mechanism used in the security context

flags: RequirementFlag: Services available for the context

token: bytes | None: Token to be sent to the acceptor

lifetime: int: Seconds for which the context is valid for

more_steps: bool: More input is required to complete the exchange

Information about the security context.

Create new instance of InquireContextResult(initiator_name, target_name, lifetime, mech, flags, locally_init, complete)

initiator_name: gssapi.raw.names.Name | None: Name of the initiator

target_name: gssapi.raw.names.Name | None: Name of the acceptor

lifetime: int | None: Time valid for the security context, in seconds

mech: OID | None: Mech used to create the security context

flags: RequirementFlag | None: Services available for the context

locally_init: bool | None: Context was initiated locally

complete: bool | None: Context has been established and ready to use

class StoreCredResult(mechs: List[OID], usage: str)[source]

Result of the credential storing operation.

Create new instance of StoreCredResult(mechs, usage)

mechs: List[OID]: Mechs that were stored in the credential store

usage: str: How the credential can be used

class IOVUnwrapResult(encrypted: bool, qop: int)[source]

Unwrapped IOV message result.

Create new instance of IOVUnwrapResult(encrypted, qop)

encrypted: bool: Whether the message was encrypted and not just signed

qop: int: The quality of protection applied to the message

class InquireNameResult(attrs: List[bytes], is_mech_name: bool, mech: OID)[source]

Information about a GSSAPI Name.

Create new instance of InquireNameResult(attrs, is_mech_name, mech)

attrs: List[bytes]: Set of attribute names

is_mech_name: bool: Name is a mechanism name

mech: OID: The mechanism if is_name_mech is True

class GetNameAttributeResult(values: List[bytes], display_values: List[bytes], authenticated: bool, complete: bool)[source]

GSSAPI Name attribute values.

Create new instance of GetNameAttributeResult(values, display_values, authenticated, complete)

values: List[bytes]: Raw values

display_values: List[bytes]: Human-readable values

authenticated: bool: Attribute has been authenticated

complete: bool: Attribute value is marked as complete

class InquireAttrsResult(mech_attrs: Set[OID], known_mech_attrs: Set[OID])[source]

Set of attributes supported and known by a mechanism.

Create new instance of InquireAttrsResult(mech_attrs, known_mech_attrs)

mech_attrs: Set[OID]: The mechanisms attributes

known_mech_attrs: Set[OID]: Known attributes of the mechanism

class DisplayAttrResult(name: bytes, short_desc: bytes, long_desc: bytes)[source]

Information about an attribute.

Create new instance of DisplayAttrResult(name, short_desc, long_desc)

name: bytes: The mechanism name

short_desc: bytes: Short description of the mechanism

long_desc: bytes: Long description of the mechanism

class InquireSASLNameResult(sasl_mech_name: bytes, mech_name: bytes, mech_description: bytes)[source]

SASL informmation about a GSSAPI Name.

Create new instance of InquireSASLNameResult(sasl_mech_name, mech_name, mech_description)

sasl_mech_name: bytes: The SASL name

mech_name: bytes: The mechanism name

mech_description: bytes: The mechanism description

class Rfc1964KeyData(sign_alg: int, seal_alg: int, key_type: int, key: bytes)[source]

Security context key data based on RFC1964.

Create new instance of Rfc1964KeyData(sign_alg, seal_alg, key_type, key)

sign_alg: int: Signing algorithm identifier

seal_alg: int: Sealing algorithm identifier

key_type: int: Key encryption type identifier

key: bytes: Encryption key data

class CfxKeyData(ctx_key_type: int, ctx_key: bytes, acceptor_subkey_type: int | None, acceptor_subkey: bytes | None)[source]

Securty context key data.

Create new instance of CfxKeyData(ctx_key_type, ctx_key, acceptor_subkey_type, acceptor_subkey)

ctx_key_type: int: Context key encryption type identifier

ctx_key: bytes: Context key data - session or sub-session key

acceptor_subkey_type: int | None: Acceptor key enc type identifier

acceptor_subkey: bytes | None: Acceptor key data

Exceptions

exception GSSError(maj_code: int, min_code: int, token: bytes | None = None)[source]

Bases: Exception

A GSSAPI Error

This Exception represents an error returned from the GSSAPI C bindings. It contains the major and minor status codes returned by the method which caused the error, and can generate human-readable string messages from the error codes

maj_code: int

min_code: int

token: bytes | None

calling_code: int

routine_code: int

supplementary_code: int

get_all_statuses(code: int, is_maj: bool) → List[str][source]

Retrieve all messages for a status code.

This method retrieves all human-readable messages available for the given status code.

Parameters:

code – the status code in question
is_maj – whether this is a major status code (True) or minor status code (False)

Returns:

A list of string messages associated with the: given code

Return type:

[str]

gen_message() → str[source]

Retrieves all messages for this error’s status codes

This method retrieves all messages for this error’s status codes, and forms them into a string for use as an exception message

Returns:: a string for use as this error’s message
Return type:: str

exception ParameterReadError(maj_code: int, min_code: int, token: bytes | None = None)[source]

A GSSAPI Error

This Exception represents an error returned from the GSSAPI C bindings. It contains the major and minor status codes returned by the method which caused the error, and can generate human-readable string messages from the error codes

exception ParameterWriteError(maj_code: int, min_code: int, token: bytes | None = None)[source]

A GSSAPI Error

This Exception represents an error returned from the GSSAPI C bindings. It contains the major and minor status codes returned by the method which caused the error, and can generate human-readable string messages from the error codes

exception MalformedParameterError(maj_code: int, min_code: int, token: bytes | None = None)[source]

A GSSAPI Error

This Exception represents an error returned from the GSSAPI C bindings. It contains the major and minor status codes returned by the method which caused the error, and can generate human-readable string messages from the error codes

exception BadMechanismError(maj_code: int, min_code: int, token: bytes | None = None)[source]

A GSSAPI Error

This Exception represents an error returned from the GSSAPI C bindings. It contains the major and minor status codes returned by the method which caused the error, and can generate human-readable string messages from the error codes

exception BadNameError(maj_code: int, min_code: int, token: bytes | None = None)[source]

A GSSAPI Error

This Exception represents an error returned from the GSSAPI C bindings. It contains the major and minor status codes returned by the method which caused the error, and can generate human-readable string messages from the error codes

exception BadNameTypeError(maj_code: int, min_code: int, token: bytes | None = None)[source]

A GSSAPI Error

This Exception represents an error returned from the GSSAPI C bindings. It contains the major and minor status codes returned by the method which caused the error, and can generate human-readable string messages from the error codes

exception BadChannelBindingsError(maj_code: int, min_code: int, token: bytes | None = None)[source]

A GSSAPI Error

This Exception represents an error returned from the GSSAPI C bindings. It contains the major and minor status codes returned by the method which caused the error, and can generate human-readable string messages from the error codes

exception BadStatusError(maj_code: int, min_code: int, token: bytes | None = None)[source]

A GSSAPI Error

This Exception represents an error returned from the GSSAPI C bindings. It contains the major and minor status codes returned by the method which caused the error, and can generate human-readable string messages from the error codes

exception BadMICError(maj_code: int, min_code: int, token: bytes | None = None)[source]

A GSSAPI Error

This Exception represents an error returned from the GSSAPI C bindings. It contains the major and minor status codes returned by the method which caused the error, and can generate human-readable string messages from the error codes

exception MissingCredentialsError(maj_code: int, min_code: int, token: bytes | None = None)[source]

A GSSAPI Error

This Exception represents an error returned from the GSSAPI C bindings. It contains the major and minor status codes returned by the method which caused the error, and can generate human-readable string messages from the error codes

exception MissingContextError(maj_code: int, min_code: int, token: bytes | None = None)[source]

A GSSAPI Error

This Exception represents an error returned from the GSSAPI C bindings. It contains the major and minor status codes returned by the method which caused the error, and can generate human-readable string messages from the error codes

exception InvalidTokenError(maj_code: int, min_code: int, token: bytes | None = None)[source]

A GSSAPI Error

This Exception represents an error returned from the GSSAPI C bindings. It contains the major and minor status codes returned by the method which caused the error, and can generate human-readable string messages from the error codes

exception InvalidCredentialsError(maj_code: int, min_code: int, token: bytes | None = None)[source]

A GSSAPI Error

This Exception represents an error returned from the GSSAPI C bindings. It contains the major and minor status codes returned by the method which caused the error, and can generate human-readable string messages from the error codes

exception ExpiredCredentialsError(maj_code: int, min_code: int, token: bytes | None = None)[source]

A GSSAPI Error

This Exception represents an error returned from the GSSAPI C bindings. It contains the major and minor status codes returned by the method which caused the error, and can generate human-readable string messages from the error codes

exception ExpiredContextError(maj_code: int, min_code: int, token: bytes | None = None)[source]

A GSSAPI Error

This Exception represents an error returned from the GSSAPI C bindings. It contains the major and minor status codes returned by the method which caused the error, and can generate human-readable string messages from the error codes

exception BadQoPError(maj_code: int, min_code: int, token: bytes | None = None)[source]

A GSSAPI Error

This Exception represents an error returned from the GSSAPI C bindings. It contains the major and minor status codes returned by the method which caused the error, and can generate human-readable string messages from the error codes

exception UnauthorizedError(maj_code: int, min_code: int, token: bytes | None = None)[source]

A GSSAPI Error

This Exception represents an error returned from the GSSAPI C bindings. It contains the major and minor status codes returned by the method which caused the error, and can generate human-readable string messages from the error codes

exception OperationUnavailableError(maj_code: int, min_code: int, token: bytes | None = None)[source]

A GSSAPI Error

This Exception represents an error returned from the GSSAPI C bindings. It contains the major and minor status codes returned by the method which caused the error, and can generate human-readable string messages from the error codes

exception DuplicateCredentialsElementError(maj_code: int, min_code: int, token: bytes | None = None)[source]

A GSSAPI Error

This Exception represents an error returned from the GSSAPI C bindings. It contains the major and minor status codes returned by the method which caused the error, and can generate human-readable string messages from the error codes

exception MechanismNameRequiredError(maj_code: int, min_code: int, token: bytes | None = None)[source]

A GSSAPI Error

This Exception represents an error returned from the GSSAPI C bindings. It contains the major and minor status codes returned by the method which caused the error, and can generate human-readable string messages from the error codes

exception NameReadError(maj_code: int, min_code: int, token: bytes | None = None)[source]

Bases: ParameterReadError, BadNameError

A GSSAPI Error

This Exception represents an error returned from the GSSAPI C bindings. It contains the major and minor status codes returned by the method which caused the error, and can generate human-readable string messages from the error codes

exception NameTypeReadError(maj_code: int, min_code: int, token: bytes | None = None)[source]

Bases: ParameterReadError, BadNameTypeError

A GSSAPI Error

This Exception represents an error returned from the GSSAPI C bindings. It contains the major and minor status codes returned by the method which caused the error, and can generate human-readable string messages from the error codes

exception TokenReadError(maj_code: int, min_code: int, token: bytes | None = None)[source]

Bases: ParameterReadError, InvalidTokenError

A GSSAPI Error

This Exception represents an error returned from the GSSAPI C bindings. It contains the major and minor status codes returned by the method which caused the error, and can generate human-readable string messages from the error codes

exception ContextReadError(maj_code: int, min_code: int, token: bytes | None = None)[source]

Bases: ParameterReadError, MissingContextError

A GSSAPI Error

This Exception represents an error returned from the GSSAPI C bindings. It contains the major and minor status codes returned by the method which caused the error, and can generate human-readable string messages from the error codes

exception CredentialsReadError(maj_code: int, min_code: int, token: bytes | None = None)[source]

Bases: ParameterReadError, MissingCredentialsError

A GSSAPI Error

This Exception represents an error returned from the GSSAPI C bindings. It contains the major and minor status codes returned by the method which caused the error, and can generate human-readable string messages from the error codes

exception ContextWriteError(maj_code: int, min_code: int, token: bytes | None = None)[source]

Bases: ParameterWriteError, MissingContextError

A GSSAPI Error

This Exception represents an error returned from the GSSAPI C bindings. It contains the major and minor status codes returned by the method which caused the error, and can generate human-readable string messages from the error codes

exception CredentialsWriteError(maj_code: int, min_code: int, token: bytes | None = None)[source]

Bases: ParameterWriteError, MissingCredentialsError

A GSSAPI Error

This Exception represents an error returned from the GSSAPI C bindings. It contains the major and minor status codes returned by the method which caused the error, and can generate human-readable string messages from the error codes

exception SupplementaryError(maj_code: int, min_code: int, token: bytes | None = None)[source]