Notes

The MIT Kerberos C API is based on some rather ancient C patterns. I believe a pythonic API should look rather different, so expect this API to only follow the MIT Kerberos API in very broad strokes. The internals of the implementation will use terminology from RFC 4120 to whatever extent is possible.

top-level concepts for API consumers

• credential cache
• keytab
• acquiring initial tickets
• acquiring service tickets
• verifying service tickets
• mk_priv
• mk_safe
• forwarding credentials
• configuration (defaults, enctypes, name conversion, realms, domain to realm mappings, capaths, etc)

main implementation concepts

• udp transport
• tcp transport
• asn.1
• host addresses
• preauth types
• hashing and encryption (etypes, encryption methods, checksum methods)

goals

Pure python. This is complicated by the need to use crypto; ideally, provide simple pure python implementations for commonly used cryptosystems, but provide callouts to commonly available python libraries for more algorithms or better performance.

Doing simple things with the API should be simple. Most clients today do not use the API directly, but instead layer on top of one or more of GSSAPI, SASL, or SPNEGO, so there should be straightforward pythonic APIs for performing typical operations using those protocols.

The basic suite of kerberos user-facing apps should also be available: kinit, klist, kdestroy, etc.

desirables

Be transport-agnostic, but not to the point of unusability. Simple things should be simple first, but to the extent that platforms like twisted can use this, even better.

urls I might want later

https://github.com/mhorowitz/pykrb5

http://www.ietf.org/rfc/rfc4120.txt

http://sourceforge.net/projects/pydes/

http://sourceforge.net/projects/pyasn1/

https://github.com/thisismedium/python-sasl

http://code.google.com/p/slowaes/

https://github.com/caller9/pythonaes

https://github.com/serprex/pythonaes