stanford.green.kerberos

Library to manage Kerberos tickets

Overview

Use stanford.green.kerberos to provision and maintain a Kerberos ticket cache. Uses the filelock Python package to avoid two instances attempting to write to the same ticket cache at the same time.

The kinit executable must be installed for this package to work.

Examples

Simple example:

from stanford.green.kerberos import KerberosTicket

keytab_path = "/etc/krb5.keytab"
principal   = "host/myserver.stanford.edu@stanford.edu"

kt = KerberosTicket(keytab_path, principal, age_limit_seconds=30)
kt.create_ticket_file()
# You now have a valid Kerberos context with the Kerberos ticket
# file pointed to by the KRB5CCNAME environment variable.

# Clean up the ticket file:
kt.cleanup()

class stanford.green.kerberos.KerberosTicket(keytab_path: str, kprincipal: str, ticket_file: str, ticket_lock_file: str | None = None, age_limit_seconds: int = 300, verbose: bool = False)

A Kerberos ticket object.

Initialization requires the passing in of the keytab file path and the principal name.

The ticket lockfile location defaults to the ticket filename suffixed with “.lock”.

cleanup() → None

Remove the Kerberos ticket and lock files.

create_ticket_file() → None

Create/update the Kerberos ticket file (if needed).

Create/update the Kerberos ticket file, but only if the ticket file needs to be renewed. Also set the environment variable KRB5CCNAME to point to the Kerberos ticket file.

The path to the ticket file comes from self.keytab_path.

This method only creates the ticket file if it can acquire the ticket lock file.

ticket_file_needs_updating() → bool

Return true if the Kerberos ticket file needs updating, false otherwise.

The Kerberos ticket file needs updating in the following cases:

• it does not already exist;

• it does exist but is empty;

• it does exist but is too old. The ticket file is too old if the current ticket file is more than self.age_limit_seconds seconds old.