reuse kerberos ticket from Operating system cache

[LucaGalvagno]

Good Morning, I would like to understand if with pyspnego is possible to reuse kerberos tickets coming from Operating system cache , in the case of Linux from the KEYRING kernel cache (is where sssd is storing such stuff by default). Thanks Kind Regards

[jborean93]

Yep, just don’t specify an explicit username/password and it will use the cached credential (if present). Typically what klist will show.

[LucaGalvagno]

I'm sorry, but could you please put code snippet ?

[jborean93]

It’s the exact same way you call it normally but without setting the username/password kwarg.

[LucaGalvagno]

Hi , indeed I did what you suggested using one of the examples (client_auth.py) , but a StopIteration (on enc_data = client.wrap(data) ) exception is raised, negotiation attribute is "none" . Below the source code and my klist results .

Source code : #########################################

import spnego

def exchange_data(data: bytes) -> bytes:
    # Insert code to send to acceptor and receive token
    return b""
def main() -> None:
    client = spnego.client(service="krbtgt/XXXX.LOCAL@XXXX.LOCAL")

    in_token = None
    while client.complete:
        out_token = client.step(in_token)
        if not out_token:
            break

        in_token = exchange_data(out_token)

    print("Negotiated protocol: %s" % client.negotiated_protocol)

    data = b"my secret"
    enc_data = client.wrap(data)

    resp = exchange_data(enc_data.data)
    dec_data = client.unwrap(resp)

    print("Server response: %s" % dec_data.data.decode("utf-8"))

if __name__ == "__main__":
    main()

##################################################### klist :

Ticket cache: KCM:1208801129:25868 Default principal: testuser1@XXXX.LOCAL

Valid starting Expires Service principal 07/14/2024 10:38:48 07/14/2024 20:38:48 krbtgt/XXXX.LOCAL@XXXX.LOCAL renew until 07/21/2024 10:38:48

[jborean93]

A few things to note

• The example had an issue, the loop should be while not client.complete:
  • Updated with commit https://github.com/jborean93/pyspnego/commit/2811a7ea7f99866b0b99cb16892b42d66b739fe5
• You need to implement your own logic with exchange_data, how you do this depends on how you are authenticating
• The service should reflect the service you are authenticating with. It should also only be the service part
  • Typically the service is something like host, http, but it can be anything as it's dependent on the host you are talking to
  • The hostname kwarg specifies the hostname portion of the SPN
  • E.g. service='host', hostname='target-host.domain.com'