{ "info": { "author": "Nathaniel McCallum, Robbie Harwood, Christian Heimes, Nalin Dahyabhai", "author_email": "npmccallum@redhat.com, rharwood@redhat.com, cheimes@redhat.com, nalin@redhat.com", "bugtrack_url": null, "classifiers": [ "Development Status :: 5 - Production/Stable", "Environment :: Web Environment", "Intended Audience :: System Administrators", "License :: OSI Approved :: MIT License", "Operating System :: OS Independent", "Programming Language :: Python :: 2.7", "Programming Language :: Python :: 3", "Programming Language :: Python :: 3.5", "Programming Language :: Python :: 3.6", "Topic :: Internet :: Proxy Servers" ], "description": "Welcome to kdcproxy!\n====================\n\nThis package contains a WSGI module for proxying KDC requests over HTTP by\nfollowing the [MS-KKDCP] protocol. It aims to be simple to deploy, with\nminimal configuration.\n\nDeploying kdcproxy\n==================\n\nThe kdcproxy module follows the standard WSGI protocol for deploying Python\nweb applications. This makes configuration simple. Simply load up your favorite\nWSGI-enabled web server and point it to the module. For example, if you wish\nto use mod_wsgi, try something like this::\n\n WSGIDaemonProcess kdcproxy processes=2 threads=15 maximum-requests=1000 \\\n display-name=%{GROUP}\n WSGIImportScript /usr/lib/python2.7/site-packages/kdcproxy/__init__.py \\\n process-group=kdcproxy application-group=kdcproxy\n WSGIScriptAlias /KdcProxy /usr/lib/python2.7/site-packages/kdcproxy/__init__.py\n WSGIScriptReloading Off\n\n \n Satisfy Any\n Order Deny,Allow\n Allow from all\n WSGIProcessGroup kdcproxy\n WSGIApplicationGroup kdcproxy\n \n\n[MS-KKDCP] suggests /KdcProxy as end point. For more information, see the\ndocumentation of your WSGI server.\n\n\nConfiguring kdcproxy\n====================\n\nWhen kdcproxy receives a request, it needs to know where to proxy it to. This\nis the purpose of configuration: discovering where to send kerberos requests.\n\nOne important note: where the underlying configuration does not specify TCP or\nUDP, both will be attempted. TCP will be attempted before UDP. This permits the\nuse of longer timeouts and prevents possible lockouts when the KDC packets\ncontain OTP token codes (which should preferably be sent to only one server).\n\nAutomatic Configuration\n-----------------------\nBy default, no configuration is necessary. In this case, kdcproxy will use\nREALM DNS SRV record lookups to determine remote KDC locations.\n\nMaster Configuration File\n-------------------------\nIf you wish to have more detailed configuration, the first place you can\nconfigure kdcproxy is the master configuration file. This file exists at the\nlocation specified in the environment variable KDCPROXY_CONFIG. If this\nvariable is unspecified, the default location is /etc/kdcproxy.conf. This\nconfiguration file takes precedence over all other configuration modules. This\nfile is an ini-style configuration with a special section **[global]**. Two\nparameters are available in this section: **configs** and **use_dns**.\n\nThe **use_dns** allows you to enable or disable use of DNS SRV record lookups.\n\nThe **configs** parameter allows you to load other configuration modules for\nfinding configuration in other places. The configuration modules specified in\nhere will have priority in the order listed. For instance, if you wished to\nread configuration from MIT libkrb5, you would set the following:\n\n [global]\n configs = mit\n\nAside from the **[global]** section, you may also specify manual configuration\nfor realms. In this case, each section is the name of the realm and the\nparameters are **kerberos** or **kpasswd**. These specify the locations of the\nremote servers for krb5 AS requests and kpasswd requests, respectively. For\nexample:\n\n [EXAMPLE.COM]\n kerberos = kerberos+tcp://kdc.example.com:88\n kpasswd = kpasswd+tcp://kpasswd.example.com:464\n\nThe realm configuration parameters may list multiple servers separated by a\nspace. The order the realms are specified in will be respected by kdcproxy when\nforwarding requests. The port number is optional. Possible schemes are:\n\n* kerberos://\n* kerberos+tcp://\n* kerberos+udp://\n* kpasswd://\n* kpasswd+tcp://\n* kpasswd+udp://\n\nMIT libkrb5\n-----------\n\nIf you load the **mit** config module in the master configuration file,\nkdcproxy will also read the config using libkrb5 (usually /etc/krb5.conf). If\nthis module is used, kdcproxy will respect the DNS settings from the\n**[libdefaults]** section and the realm configuration from the **[realms]**\nsection.\n\nFor more information, see the documentation for MIT's krb5.conf.\n\nConfiguration reloading\n-----------------------\n\nkdcproxy reads its configurtion files when package is imported and a global\nWSGI application object is instantiated. For now kdcproxy does neither\nmonitor its configuration files for changes nor supports runtime updates. You\nhave to restart the WSGI process to make modification available. With Apache\nHTTP and mod_wsgi, a reload of the server also restarts all WSGI daemons.\n\n\nConfiguring a client for kdcproxy\n=================================\n\nHTTPS proxy support is available since Kerberos 5 release 1.13. Some\nvendors have backported the feature to older versions of krb5, too. In order\nto use a HTTPS proxy, simply point the kdc and kpasswd options to the proxy URL like\nexplained in [HTTPS proxy] configuration guide. Your ``/etc/krb5.conf`` may\nlook like this::\n\n [libdefaults]\n default_realm = EXAMPLE.COM\n\n [realms]\n EXAMPLE.COM = {\n http_anchors = FILE:/etc/krb5/cacert.pem\n kdc = https://kerberos.example.com/KdcProxy\n kpasswd_server = https://kerberos.example.com/KdcProxy\n }\n\n\nTo debug the feature, set the environment variable ``KRB5_TRACE`` to\n``/dev/stdout``. When the feature is correctly configured, you should see\ntwo POST requests in the access log of the WSGI server and a line containing\n``Sending HTTPS request`` in the debug output of kinit::\n\n $ env KRB5_TRACE=/dev/stdout kinit user\n [1037] 1431509096.26305: Getting initial credentials for user@EXAMPLE.COM\n [1037] 1431509096.26669: Sending request (169 bytes) to EXAMPLE.COM\n [1037] 1431509096.26939: Resolving hostname kerberos.example.com\n [1037] 1431509096.34377: TLS certificate name matched \"kerberos.example.com\"\n [1037] 1431509096.38791: Sending HTTPS request to https 128.66.0.1:443\n [1037] 1431509096.46387: Received answer (344 bytes) from https 128.66.0.1:443\n [1037] 1431509096.46411: Terminating TCP connection to https 128.66.0.1:443\n ...\n\nIf kinit still connects to port 88/TCP or port 88/UDP, then System Security\nServices Daemon's Kerberos locator plugin might override the settings in\n/etc/krb5.conf. With the environment variable ``SSSD_KRB5_LOCATOR_DEBUG=1``,\nkinit and sssd_krb5_locator_plugin print out additional debug information. To\ndisable the KDC locator feature, edit ``/etc/sssd/sssd.conf`` and set\n``krb5_use_kdcinfo`` to False:\n\n [domain/example.com]\n krb5_use_kdcinfo = False\n\nDon't forget to restart SSSD!\n\n[MS-KKDCP]: http://msdn.microsoft.com/en-us/library/hh553774.aspx\n\n[HTTPS Proxy]: http://web.mit.edu/kerberos/krb5-current/doc/admin/https.html\n", "description_content_type": "", "docs_url": null, "download_url": "", "downloads": { "last_day": -1, "last_month": -1, "last_week": -1 }, "home_page": "http://github.com/npmccallum/kdcproxy", "keywords": "krb5 proxy http https kerberos", "license": "MIT", "maintainer": "", "maintainer_email": "", "name": "kdcproxy", "package_url": "https://pypi.org/project/kdcproxy/", "platform": "", "project_url": "https://pypi.org/project/kdcproxy/", "project_urls": { "Homepage": "http://github.com/npmccallum/kdcproxy" }, "release_url": "https://pypi.org/project/kdcproxy/0.4.2/", "requires_dist": null, "requires_python": "", "summary": "A kerberos KDC HTTP proxy WSGI module.", "version": "0.4.2" }, "last_serial": 5756142, "releases": { "0.3.1": [ { "comment_text": "", "digests": { "md5": "a7a2851d3789f26b31e5ef0f375e23de", "sha256": "1ef09ba79555761682680cd2d48a681d0b71ebd616ff577b05baac175609f16d" }, "downloads": -1, "filename": "kdcproxy-0.3.1.tar.gz", "has_sig": false, "md5_digest": "a7a2851d3789f26b31e5ef0f375e23de", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 12220, "upload_time": "2015-07-22T17:04:09", "url": "https://files.pythonhosted.org/packages/47/e1/a7a81655c9f7146314913d1ebd81e8e1dd0e501f19e4df19086240211ee2/kdcproxy-0.3.1.tar.gz" } ], "0.4": [ { "comment_text": "", "digests": { "md5": "250767b630ed1331d8b27a290bc8c28e", "sha256": "e99b4be867f76f5b4f4544819fd1d2d09c7d666d0bf3d1e600569fa93c687a87" }, "downloads": -1, "filename": "kdcproxy-0.4.tar.gz", "has_sig": false, "md5_digest": "250767b630ed1331d8b27a290bc8c28e", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 22387, "upload_time": "2018-08-08T21:47:55", "url": "https://files.pythonhosted.org/packages/63/58/d47ee2f080a5a9c4dbaac5f78ed3059e68f75d28bda49c953e201bdeee52/kdcproxy-0.4.tar.gz" } ], "0.4.1": [ { "comment_text": "", "digests": { "md5": "10100743e1f5c1e2d481bb6022f71915", "sha256": "708ec293e078ff441964170474633e63a7adfbb45d2ce175c46340aef24f7658" }, "downloads": -1, "filename": "kdcproxy-0.4.1.tar.gz", "has_sig": false, "md5_digest": "10100743e1f5c1e2d481bb6022f71915", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 22402, "upload_time": "2019-02-11T16:13:17", "url": "https://files.pythonhosted.org/packages/e7/e3/68aa6a9394aa8208512253c19a5248086d1459d37b45f79b6a94b008f700/kdcproxy-0.4.1.tar.gz" } ], "0.4.2": [ { "comment_text": "", "digests": { "md5": "9be62ffe82cd481ecedf97d8b9a37695", "sha256": "9c8f6949c5b0f28861b0a24a6f12c2f0dca52780826ab1211136037f5dc0e4f7" }, "downloads": -1, "filename": "kdcproxy-0.4.2.tar.gz", "has_sig": false, "md5_digest": "9be62ffe82cd481ecedf97d8b9a37695", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 22475, "upload_time": "2019-08-29T18:41:04", "url": "https://files.pythonhosted.org/packages/1a/fc/79db7b0e20525fd302c8a1a345a7857899a2b67462c2f22f16e8cfed8085/kdcproxy-0.4.2.tar.gz" } ] }, "urls": [ { "comment_text": "", "digests": { "md5": "9be62ffe82cd481ecedf97d8b9a37695", "sha256": "9c8f6949c5b0f28861b0a24a6f12c2f0dca52780826ab1211136037f5dc0e4f7" }, "downloads": -1, "filename": "kdcproxy-0.4.2.tar.gz", "has_sig": false, "md5_digest": "9be62ffe82cd481ecedf97d8b9a37695", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 22475, "upload_time": "2019-08-29T18:41:04", "url": "https://files.pythonhosted.org/packages/1a/fc/79db7b0e20525fd302c8a1a345a7857899a2b67462c2f22f16e8cfed8085/kdcproxy-0.4.2.tar.gz" } ] }