python-krb5ticket
Simply Python wrapper to create Kerberos V5 ticket-granting tickets (TGTs), using either password or keytab file. Also, supports the creation of Kerberos keytab files.
Getting started
Install the python-krb5ticket
library using pip:
$ pip install python-krb5ticket
krb5
The Krb5 class provides an interface to aquire Kerberos ticket-granting tickets (TGTs) using either a key table file or password.
Note
SECURITY ADVISORY
Please refrain from acquiring TGTs using the password method as passwords are not encrypted and passed along in plain text.
Examples
Acquires Kerberos ticket-granting ticket (TGT) with keytab file.
1import krb5
2
3krb = krb5.Krb5("user@EXAMPLE.COM", "/tmp/krb5cc_user")
4krb.acquire_with_keytab("/home/user/user.keytab")
Acquires Kerberos ticket-granting ticket (TGT) with password.
1from krb5 import Krb5
2
3krb = Krb5("user@EXAMPLE.COM", "/tmp/krb5cc_user")
4krb.acquire_with_password("thisismypassword")
ktutil
The ktutil class provides an interface to manage Kerberos V5 key table files. This class is a wrapper around the MIT Kerberos ktutil command-line interface.
Examples
Reads the Kerberos V5 keytab file keytab into the current keylist, then prints the current keylist.
1from krb5 import ktutil
2
3KEYTAB = "jsmith.keytab"
4
5kt = ktutil()
6kt.read_kt(KEYTAB)
7kt.list()
8kt.quit()
9print(kt.keylist)
This would return a list containing dictionary objects with keys: slot, kvno and principal.
[
{
'slot': 1,
'kvno': 1,
'principal': 'jsmith@EXAMPLE.COM'
},
{
'slot': 2,
'kvno': 1,
'principal': 'jsmith@EXAMPLE.COM'
}
]
Adds an entry to the current keylist using key or password and writes it to a keytab file.
1from krb5 import ktutil
2
3PRINCIPAL = "jsmith@EXAMPLE.COM"
4PASSWORD = "securepassword"
5KVNO = 1
6ENCTYPE = "aes128-cts-hmac-sha1-96"
7ENTRYTYPE = "password" # if "key", PASSWORD must be a passphrase
8KEYTAB = "jsmith.keytab"
9
10kt = ktutil()
11kt.add_entry(PRINCIPAL, PASSWORD, KVNO, ENCTYPE, ENTRYTYPE)
12kt.write_kt(KEYTAB)
13kt.quit()
Important
Be aware that the write_kt
method is confusing as the keylist content
is appended to the keytab file if it already exists. This is important to
be aware of when using delete_entry
as this will cause duplication if
you do not write the keylist to a new file.
Deletes an entry to the current keylist and writes it to a NEW
keytab file.
1from krb5 import ktutil
2
3KEYTAB = "jsmith.keytab"
4NEW_KEYTAB = "jsmith_new.keytab"
5SLOT = 2
6
7kt = ktutil()
8kt.read_kt(KEYTAB)
9kt.delete_entry(SLOT)
10kt.write_kt(NEW_KEYTAB)
11kt.quit()
Important
As indicated above, if you invoke write_kt
on the original keytab file,
the current keylist will be appended to the keytab file causing duplication
of all entries in the current keylist. For example, your keytab file has 4
entries, then you delete 1, the current keylist still has 3 entries, and
the keytab file still has all 4, therefore when invoke write_kt
the 3
entries from the keylist are appended
to the keylist file which would
cause the keytab to have 6 total entries (4 - 1 + 3 = 6, which 3 being
duplicates).