0

I am writing a small Python utility that stores a Kerberos v5 keytab in a StringIO object. I want to avoid storing said keytab anywhere on the machine's disk.

Therefore, I would very much want to invoke kinit like this (split() and subprocess() to follow):

command = "/usr/bin/kinit -V -c {0} -t {1} {2}@{3}".format(cache, ticket, loginUser, kerberosDomain)

where the ticket is:

ticket = StringIO.StringIO(data)

But kinit doesn't really like it. Its source file says:

925    /* Ensure we can be driven from a pipe */

Does anyone have experience with driving kinit from a pipe, and specifically how to inject the ticket into (presumably) its stdin?

Alternatively, can a StringIO be wrapped into something like mmap to behave like a "real" file to kinit?

Thanks!

PS: A very interesting discussion I read as I was posting this question: Python - How do I pass a string into subprocess.Popen (using the stdin argument)?

caffreyd
  • 1,151
  • 1
  • 17
  • 25
Virgil Gheorghiu
  • 493
  • 1
  • 4
  • 13
  • If you are so paranoid about storing a keytab on disk, why use a shared cache, instead of creating private Kerberos tickets on the fly? _(and BTW I suppose that you don't use the default `FILE:` cache, but instead something like `KEYRING:`...)_ – Samson Scharfrichter May 13 '17 at 16:17
  • @samson-scharfrichter Processes in the same API:// cache need to access the ticket from the context of the logged in $user, as this is on macOS. macOS has its own security model when it comes to who can access what in terms of Kerberos ([link](https://developer.apple.com/library/content/technotes/tn2083/_index.html#//apple_ref/doc/uid/DTS10003794-CH1-SECTION9)). The above script is invoked in a similar context. – Virgil Gheorghiu May 15 '17 at 17:41
  • Some people don't bother with `kinit` and create/cache the ticket with a pure Python interface, cf. http://stackoverflow.com/questions/43786908/java-gss-api-service-ticket-not-saved-in-credentials-cache-using-java – Samson Scharfrichter May 15 '17 at 20:10
  • @samson-scharfrichter Yup, I was looking into a Python-only GSS interface since I would love to use that (and it'll likely satisfy the StringIO requirement above), but what I found [link](https://pypi.python.org/pypi/kerberos) for Python-2.7: 1) is poorly documented, 2) seems to be aimed at authenticating against Apache https protected via kerberos (with auth redirects) and 3) does not take a credentials ticket but a plaintext username and password. :-( – Virgil Gheorghiu May 15 '17 at 23:30

0 Answers0