[Freeipa-devel] python kerberos problems (forms based auth)
Dmitri Pal
dpal at redhat.com
Sat Feb 18 20:33:22 UTC 2012
On 02/17/2012 04:08 PM, Simo Sorce wrote:
> On Fri, 2012-02-17 at 15:35 -0500, John Dennis wrote:
>> I'm trying to add the missing session features. Last night I started to
>> add support for forms based auth (i.e. on the web UI a user enters his
>> password and we get a kerberos ticket for them). To do that we need to
>> call krb5_get_init_creds_password() (or the deprecated
>> krb5_get_in_tkt_with_password()).
>>
>> Bad news, the python kerberos library we're using, python-krbV, does not
>> export this functionality.
>>
>> There is a python library, python-krb5, which does export it but it's
>> not packaged for Fedora or RHEL. It's also rather incomplete.
>>
>> So it looks like we have a few options:
>>
>> 1) add krb5_get_init_creds_password() to python-krbV
>>
>> 2) package python-krb5 for fedora and RHEL.
>>
>> 3) use my new python kerberos library
>>
>> 4) invoke kinit as a subprocess
>>
>> 5) drop the feature.
>>
>> From my perspective option 1 of adding the support to python-krbV is a
>> non-starter. This python library has been nothing but a headache to use,
>> it's incomplete and it's not pythonic. But the real problem is it's
>> horribly coded, it doesn't use Python classes, it incorrectly uses
>> deprecated internal Python API's and it's doesn't encapsulate kerberos
>> objects inside genuine Python objects. All of which means it's
>> fundamentally flawed, fragile, out of date, and difficult to extend. I
>> don't think there is any justification for any continued development on
>> this library, it should be put out of it's misery and it should have
>> been killed years ago. The only reason it wasn't was because there
>> wasn't anything better to replace it with.
>>
>> I see little point in option 2 as well, getting a new package into
>> Fedora and RHEL is a significant effort and since this package is rather
>> incomplete and wouldn't serve all of IPA's needs then why go through
>> that effort just to get access to one function from Python?
>>
>> I got so frustrated with kerberos options for Python I started writing a
>> new MIT Kerberos Python binding in my spare time. It's pythonic, meaning
>> it supports all the basic python operations you expect such as genuine
>> classes that encapsulate a genuine Kerberos object, properties,
>> iteration, indexing, slices, comparison, stringification, etc. It's not
>> complete yet, at the moment it supports these classes: Context, CCache,
>> Credential, Principal, Keytab, Address, KeyBlock, and TicketTimes. It
>> does not yet support krb5_get_init_creds_password() but the framework is
>> so clean it would be easy to add.
>>
>> I'm not a fan of option 4, invoking kinit. I'm pretty sure it would
>> involve doing the pseudo terminal dance to pass the password. I've done
>> similar things in the past from Python (e.g. invoking some of the NSS
>> cert generation utilies that prompt for passwords). It tends to be
>> fragile as well as being inefficient, awkward and possibly may run afoul
>> of SELinux, but it's an option, not one I'm keen on though, but it could
>> be a "workaround".
> It seem like kinit can be passed a password through stdin w/o problems
> (just tried with echo "password" | kinit foobar) so maybe this option is
> not that bad.
>
>> Summary:
>>
>> If we added krb5_get_init_creds_password() to the existing python-krbV
>> we would have to rebase or backport in rhel, never an easy task. It also
>> wouldn't be easy to code up in the first place because the C code in
>> python-krbV is so horrible.
> Pass, waste of time
>
>> python-krb5 is a non-starter, it doesn't exist in Fedora and RHEL and
>> there is little justification in adding it, plus why go through the work
>> of adding this as new package when there is a far better python kerberos
>> binding available.
> Pass, non-starter
>
>> We could finish up the work I started on the new binding and get it
>> packaged. I think it would add a lot to IPA and the community in
>> general. But if you add up the time to finish the functionality, write
>> unit tests, get it reviewed, get it packaged it's still a chunk of work
>> despite the fact a large part of it is already written and working.
> I like this, but too late in the process, I would like to have it in 3.0
> though.
>
>> Bottom line, I don't think we'll be supporting forms based auth anytime
>> soon unless I've missed some easy way to get a ticket for a user from
>> inside Python code.
> kinit, ugly but will work I think.
>
>> P.S.: Since IPA is based on Kerberos and IPA is written in Python it
>> would seem to make sense to have a decent Python binding for Kerberos.
> It does.
>
>> Thoughts? Comments?
> I think 'kinit' for now, and your new bindings for 3.0 would be the
> 'right' answer.
>
> Simo.
>
I am definitely not a Python person but in AuthHub code I have see the
following construct:
https://fedorahosted.org/AuthHub/browser/plugins/python/authhub-yubikey/authhub-yubikey
when a shared library is loaded and and entry point is mapped.
I assume this can be easily done as in the example code so why we are
not doing this instead of starting KINIT as a separate process? I know
it is probably not the cleanest approach but I am surprised to not find
it as one of the top options on the list in the current situation with
the given constraints.
I am not against Simo's approach, just wanted to make sure all options
are mentioned.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-devel
mailing list