SkillAgentSearch skills...

Winkerberos

A native Kerberos client implementation for Python on Windows

GenerateConvertImprove

Install / Use

/learn @mongodb/Winkerberos
About this skill

Quality Score

0/100

Supported Platforms

Universal

README

=========== WinKerberos

:Info: See github <https://github.com/mongodb-labs/winkerberos>_ for the latest source. :Author: Bernie Hackett bernie@mongodb.com

About

A native Kerberos client implementation for Python on Windows. This module mimics the API of pykerberos <https://pypi.python.org/pypi/pykerberos>_ to implement Kerberos authentication with Microsoft's Security Support Provider Interface (SSPI). It supports Python 3.10+.

Installation

WinKerberos is in the Python Package Index (pypi) <https://pypi.python.org/pypi/winkerberos>. Use pip <https://pypi.python.org/pypi/pip> to install it::

python -m pip install winkerberos

WinKerberos requires Windows 7 / Windows Server 2008 R2 or newer.

Building and installing from source

You must have the correct version of VC++ installed for your version of Python:

  • Python 3.10+ - Visual Studio 2015+ (Any version)

Once you have the required compiler installed, run the following command from the root directory of the WinKerberos source::

pip install .

Building HTML documentation

First install Sphinx <https://pypi.python.org/pypi/Sphinx>_::

python -m pip install Sphinx

Then run the following command from the root directory of the WinKerberos source::

pip install -e .
python -m sphinx -b html doc doc/_build

Examples

This is a simplified example of a complete authentication session following RFC-4752, section 3.1:

.. code-block:: python

import winkerberos as kerberos


def send_response_and_receive_challenge(response):
    # Your server communication code here...
    pass


def authenticate_kerberos(service, user, channel_bindings=None):
    # Initialize the context object with a service principal.
    status, ctx = kerberos.authGSSClientInit(service)

    # GSSAPI is a "client goes first" SASL mechanism. Send the
    # first "response" to the server and receive its first
    # challenge.
    if channel_bindings is not None:
        status = kerberos.authGSSClientStep(ctx, "", channel_bindings=channel_bindings)
    else:
        status = kerberos.authGSSClientStep(ctx, "")
    response = kerberos.authGSSClientResponse(ctx)
    challenge = send_response_and_receive_challenge(response)

    # Keep processing challenges and sending responses until
    # authGSSClientStep reports AUTH_GSS_COMPLETE.
    while status == kerberos.AUTH_GSS_CONTINUE:
        if channel_bindings is not None:
            status = kerberos.authGSSClientStep(
                ctx, challenge, channel_bindings=channel_bindings
            )
        else:
            status = kerberos.authGSSClientStep(ctx, challenge)

        response = kerberos.authGSSClientResponse(ctx) or ""
        challenge = send_response_and_receive_challenge(response)

    # Decrypt the server's last challenge
    kerberos.authGSSClientUnwrap(ctx, challenge)
    data = kerberos.authGSSClientResponse(ctx)
    # Encrypt a response including the user principal to authorize.
    kerberos.authGSSClientWrap(ctx, data, user)
    response = kerberos.authGSSClientResponse(ctx)

    # Complete authentication.
    send_response_and_receive_challenge(response)

Channel bindings can be generated with help from the cryptography_ module. See <https://tools.ietf.org/html/rfc5929#section-4.1>_ for the rules regarding hash algorithm choice:

.. code-block:: python

from cryptography import x509
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes


def channel_bindings(ssl_socket):
    server_certificate = ssl_socket.getpeercert(True)
    cert = x509.load_der_x509_certificate(server_certificate, default_backend())
    hash_algorithm = cert.signature_hash_algorithm
    if hash_algorithm.name in ("md5", "sha1"):
        digest = hashes.Hash(hashes.SHA256(), default_backend())
    else:
        digest = hashes.Hash(hash_algorithm, default_backend())
    digest.update(server_certificate)
    application_data = b"tls-server-end-point:" + digest.finalize()
    return kerberos.channelBindings(application_data=application_data)

.. _cryptography: https://pypi.python.org/pypi/cryptography

Viewing API Documentation without Sphinx

Use the help function in the python interactive shell:

.. code-block:: pycon

>>> import winkerberos
>>> help(winkerberos)

Related Skills

node-connect

349.2k

Diagnose OpenClaw node connection and pairing failures for Android, iOS, and macOS companion apps

claude-opus-4-5-migration

109.5k

Migrate prompts and code from Claude Sonnet 4.0, Sonnet 4.5, or Opus 4.1 to Opus 4.5

frontend-design

109.5k

Create distinctive, production-grade frontend interfaces with high design quality. Use this skill when the user asks to build web components, pages, or applications. Generates creative, polished code that avoids generic AI aesthetics.

model-usage

349.2k

Use CodexBar CLI local cost usage to summarize per-model usage for Codex or Claude, including the current (most recent) model or a full model breakdown. Trigger when asked for model-level usage/cost data from codexbar, or when you need a scriptable per-model summary from codexbar cost JSON.

mongodb

View profile

View on GitHub
GitHub Stars57
CategoryDevelopment
Updated23d ago
Forks15
mongodb/winkerberos

Languages

C

Security Score

100/100

Audited on Mar 13, 2026

No findings