python-krb5ticket

Simply Python wrapper to create Kerberos V5 ticket-granting tickets (TGTs), using either password or keytab file. Also, supports the creation of Kerberos keytab files.

Getting started

Install the python-krb5ticket library using pip:

bash
$ pip install python-krb5ticket

krb5

The Krb5 class provides an interface to aquire Kerberos ticket-granting tickets (TGTs) using either a key table file or password.

Note

SECURITY ADVISORY

Please refrain from acquiring TGTs using the password method as passwords are not encrypted and passed along in plain text.

Examples

Acquires Kerberos ticket-granting ticket (TGT) with keytab file.

Python
1import krb5
2
3krb = krb5.Krb5("user@EXAMPLE.COM", "/tmp/krb5cc_user")
4krb.acquire_with_keytab("/home/user/user.keytab")

Acquires Kerberos ticket-granting ticket (TGT) with password.

Python
1from krb5 import Krb5
2
3krb = Krb5("user@EXAMPLE.COM", "/tmp/krb5cc_user")
4krb.acquire_with_password("thisismypassword")

ktutil

The ktutil class provides an interface to manage Kerberos V5 key table files. This class is a wrapper around the MIT Kerberos ktutil command-line interface.

Examples

Reads the Kerberos V5 keytab file keytab into the current keylist, then prints the current keylist.

Python
1from krb5 import ktutil
2
3KEYTAB = "jsmith.keytab"
4
5kt = ktutil()
6kt.read_kt(KEYTAB)
7kt.list()
8kt.quit()
9print(kt.keylist)

This would return a list containing dictionary objects with keys: slot, kvno and principal.

[
    {
        'slot': 1,
        'kvno': 1,
        'principal': 'jsmith@EXAMPLE.COM'
    },
    {
        'slot': 2,
        'kvno': 1,
        'principal': 'jsmith@EXAMPLE.COM'
    }
]

Adds an entry to the current keylist using key or password and writes it to a keytab file.

Python
 1from krb5 import ktutil
 2
 3PRINCIPAL = "jsmith@EXAMPLE.COM"
 4PASSWORD = "securepassword"
 5KVNO = 1
 6ENCTYPE = "aes128-cts-hmac-sha1-96"
 7ENTRYTYPE = "password" # if "key", PASSWORD must be a passphrase
 8KEYTAB = "jsmith.keytab"
 9
10kt = ktutil()
11kt.add_entry(PRINCIPAL, PASSWORD, KVNO, ENCTYPE, ENTRYTYPE)
12kt.write_kt(KEYTAB)
13kt.quit()

Important

Be aware that the write_kt method is confusing as the keylist content is appended to the keytab file if it already exists. This is important to be aware of when using delete_entry as this will cause duplication if you do not write the keylist to a new file.

Deletes an entry to the current keylist and writes it to a NEW keytab file.

Python
 1from krb5 import ktutil
 2
 3KEYTAB = "jsmith.keytab"
 4NEW_KEYTAB = "jsmith_new.keytab"
 5SLOT = 2
 6
 7kt = ktutil()
 8kt.read_kt(KEYTAB)
 9kt.delete_entry(SLOT)
10kt.write_kt(NEW_KEYTAB)
11kt.quit()

Important

As indicated above, if you invoke write_kt on the original keytab file, the current keylist will be appended to the keytab file causing duplication of all entries in the current keylist. For example, your keytab file has 4 entries, then you delete 1, the current keylist still has 3 entries, and the keytab file still has all 4, therefore when invoke write_kt the 3 entries from the keylist are appended to the keylist file which would cause the keytab to have 6 total entries (4 - 1 + 3 = 6, which 3 being duplicates).