### Channel Bindings Generation Example Source: https://github.com/mongodb/winkerberos/blob/master/README.rst Example of generating channel bindings with help from the cryptography module. ```python from cryptography import x509 from cryptography.hazmat.backends import default_backend from cryptography.hazmat.primitives import hashes def channel_bindings(ssl_socket): server_certificate = ssl_socket.getpeercert(True) cert = x509.load_der_x509_certificate(server_certificate, default_backend()) hash_algorithm = cert.signature_hash_algorithm if hash_algorithm.name in ("md5", "sha1"): digest = hashes.Hash(hashes.SHA256(), default_backend()) else: digest = hashes.Hash(hash_algorithm, default_backend()) digest.update(server_certificate) application_data = b"tls-server-end-point:" + digest.finalize() return kerberos.channelBindings(application_data=application_data) ``` -------------------------------- ### Complete Authentication Session Example Source: https://github.com/mongodb/winkerberos/blob/master/doc/index.rst A simplified example of a complete authentication session following RFC-4752, section 3.1. ```python import winkerberos as kerberos def send_response_and_receive_challenge(response): # Your server communication code here... pass def authenticate_kerberos(service, user, channel_bindings=None): # Initialize the context object with a service principal. status, ctx = kerberos.authGSSClientInit(service) # GSSAPI is a "client goes first" SASL mechanism. Send the # first "response" to the server and receive its first # challenge. if channel_bindings is not None: status = kerberos.authGSSClientStep(ctx, "", channel_bindings=channel_bindings) else: status = kerberos.authGSSClientStep(ctx, "") response = kerberos.authGSSClientResponse(ctx) challenge = send_response_and_receive_challenge(response) # Keep processing challenges and sending responses until # authGSSClientStep reports AUTH_GSS_COMPLETE. while status == kerberos.AUTH_GSS_CONTINUE: if channel_bindings is not None: status = kerberos.authGSSClientStep( ctx, "", channel_bindings=channel_bindings ) else: status = kerberos.authGSSClientStep(ctx, "") response = kerberos.authGSSClientResponse(ctx) or "" challenge = send_response_and_receive_challenge(response) # Decrypt the server's last challenge kerberos.authGSSClientUnwrap(ctx, challenge) data = kerberos.authGSSClientResponse(ctx) # Encrypt a response including the user principal to authorize. kerberos.authGSSClientWrap(ctx, data, user) response = kerberos.authGSSClientResponse(ctx) # Complete authentication. send_response_and_receive_challenge(response) ``` -------------------------------- ### Complete Authentication Session Example Source: https://github.com/mongodb/winkerberos/blob/master/README.rst A simplified example of a complete authentication session following RFC-4752, section 3.1. ```python import winkerberos as kerberos def send_response_and_receive_challenge(response): # Your server communication code here... pass def authenticate_kerberos(service, user, channel_bindings=None): # Initialize the context object with a service principal. status, ctx = kerberos.authGSSClientInit(service) # GSSAPI is a "client goes first" SASL mechanism. Send the # first "response" to the server and receive its first # challenge. if channel_bindings is not None: status = kerberos.authGSSClientStep(ctx, "", channel_bindings=channel_bindings) else: status = kerberos.authGSSClientStep(ctx, "") response = kerberos.authGSSClientResponse(ctx) challenge = send_response_and_receive_challenge(response) # Keep processing challenges and sending responses until # authGSSClientStep reports AUTH_GSS_COMPLETE. while status == kerberos.AUTH_GSS_CONTINUE: if channel_bindings is not None: status = kerberos.authGSSClientStep( ctx, challenge, channel_bindings=channel_bindings ) else: status = kerberos.authGSSClientStep(ctx, challenge) response = kerberos.authGSSClientResponse(ctx) or "" challenge = send_response_and_receive_challenge(response) # Decrypt the server's last challenge kerberos.authGSSClientUnwrap(ctx, challenge) data = kerberos.authGSSClientResponse(ctx) # Encrypt a response including the user principal to authorize. kerberos.authGSSClientWrap(ctx, data, user) response = kerberos.authGSSClientResponse(ctx) # Complete authentication. send_response_and_receive_challenge(response) ``` -------------------------------- ### Viewing API Documentation Source: https://github.com/mongodb/winkerberos/blob/master/README.rst How to view API documentation using the help function in the python interactive shell. ```pycon >>> import winkerberos >>> help(winkerberos) ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.