[Freeipa-devel] python kerberos problems (forms based auth)

Simo Sorce simo at redhat.com
Fri Feb 17 21:08:34 UTC 2012 

On Fri, 2012-02-17 at 15:35 -0500, John Dennis wrote:
> I'm trying to add the missing session features. Last night I started to 
> add support for forms based auth (i.e. on the web UI a user enters his 
> password and we get a kerberos ticket for them). To do that we need to 
> call krb5_get_init_creds_password() (or the deprecated 
> krb5_get_in_tkt_with_password()).
> 
> Bad news, the python kerberos library we're using, python-krbV, does not 
> export this functionality.
> 
> There is a python library, python-krb5, which does export it but it's 
> not packaged for Fedora or RHEL. It's also rather incomplete.
> 
> So it looks like we have a few options:
> 
> 1) add krb5_get_init_creds_password() to python-krbV
> 
> 2) package python-krb5 for fedora and RHEL.
> 
> 3) use my new python kerberos library
> 
> 4) invoke kinit as a subprocess
> 
> 5) drop the feature.
> 
>  From my perspective option 1 of adding the support to python-krbV is a 
> non-starter. This python library has been nothing but a headache to use, 
> it's incomplete and it's not pythonic. But the real problem is it's 
> horribly coded, it doesn't use Python classes, it incorrectly uses 
> deprecated internal Python API's and it's doesn't encapsulate kerberos 
> objects inside genuine Python objects. All of which means it's 
> fundamentally flawed, fragile, out of date, and difficult to extend. I 
> don't think there is any justification for any continued development on 
> this library, it should be put out of it's misery and it should have 
> been killed years ago. The only reason it wasn't was because there 
> wasn't anything better to replace it with.
> 
> I see little point in option 2 as well, getting a new package into 
> Fedora and RHEL is a significant effort and since this package is rather 
> incomplete and wouldn't serve all of IPA's needs then why go through 
> that effort just to get access to one function from Python?
> 
> I got so frustrated with kerberos options for Python I started writing a 
> new MIT Kerberos Python binding in my spare time. It's pythonic, meaning 
> it supports all the basic python operations you expect such as genuine 
> classes that encapsulate a genuine Kerberos object, properties, 
> iteration, indexing, slices, comparison, stringification, etc. It's not 
> complete yet, at the moment it supports these classes: Context, CCache, 
> Credential, Principal, Keytab, Address, KeyBlock, and TicketTimes. It 
> does not yet support krb5_get_init_creds_password() but the framework is 
> so clean it would be easy to add.
> 
> I'm not a fan of option 4, invoking kinit. I'm pretty sure it would 
> involve doing the pseudo terminal dance to pass the password. I've done 
> similar things in the past from Python (e.g. invoking some of the NSS 
> cert generation utilies that prompt for passwords). It tends to be 
> fragile as well as being inefficient, awkward and possibly may run afoul 
> of SELinux, but it's an option, not one I'm keen on though, but it could 
> be a "workaround".

It seem like kinit can be passed a password through stdin w/o problems
(just tried with echo "password" | kinit foobar) so maybe this option is
not that bad.

> Summary:
> 
> If we added krb5_get_init_creds_password() to the existing python-krbV 
> we would have to rebase or backport in rhel, never an easy task. It also 
> wouldn't be easy to code up in the first place because the C code in 
> python-krbV is so horrible.

Pass, waste of time

> python-krb5 is a non-starter, it doesn't exist in Fedora and RHEL and 
> there is little justification in adding it, plus why go through the work 
> of adding this as new package when there is a far better python kerberos 
> binding available.

Pass, non-starter

> We could finish up the work I started on the new binding and get it 
> packaged. I think it would add a lot to IPA and the community in 
> general. But if you add up the time to finish the functionality, write 
> unit tests, get it reviewed, get it packaged it's still a chunk of work 
> despite the fact a large part of it is already written and working.

I like this, but too late in the process, I would like to have it in 3.0
though.

> Bottom line, I don't think we'll be supporting forms based auth anytime 
> soon unless I've missed some easy way to get a ticket for a user from 
> inside Python code.

kinit, ugly but will work I think.

> P.S.: Since IPA is based on Kerberos and IPA is written in Python it 
> would seem to make sense to have a decent Python binding for Kerberos.

It does.

> Thoughts? Comments?

I think 'kinit' for now, and your new bindings for 3.0 would be the
'right' answer.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-devel mailing list