- Fix up CredSSP acceptor when running with a LibreSSL based Python install (OpenBSD)
- Added official support for Python 3.13
- Import
ARC4cipher from the newdecrepitsmodule sub-package, this removes the warning issued in newer versions of thecryptographylibrary
- Support input password string encoded with the
surrogatepasserror option- This allows the caller to provide a password for a gMSA or machine account that could contain invalid surrogate pairs for both NTLM and Kerberos auth.
- Stop using deprecated
datetime.dateime.utcnow()for CredSSP acceptor context - Treat an empty string as a valid password,
Noneis kept as use the cached credential - Improve the exception shown when no password was provided and no cached credential was available
- Another rename of the
sspipackage dependency tosspilib
- Rename
sspipackage dependency tosspicto avoid conflicts with pywin32
- Drop support for Python 3.7 - new minimum is 3.8+
- Moved SSPI bindings out into a separate package called
sspi- This simplifies this project as it doesn't have to worry about SSPI correctness
- The
sspipackage improves performance and memory allocation with a more robust API - Fixes an issue with Cython 3 allowing it to align with more modern versions going forward
- Added Python 3.12 wheel for Windows
- Always set the
NTLMSSP_REQUEST_VERSIONflag on the NTLMNegotiatemessage- This aligns the behaviour with how SSPI generates this message
- Added the
spnego.ContextReq.dce_styleflag to enable DCE authentication mode- This is used in protocols like RPC/DCE
- The value for
spnego.iov.BufferType.sign_onlyon SSPI has changed from representingSECBUFFER_MECHLISTtoSECBUFFER_READONLY_WITH_CHECKSUM- This is to better match what
sign_onlymeans when using it with GSSAPI - It is needed to support RPC encryption and signature headers on SSPI
- The use of
SECBUFFER_MECHLISTis not seen in any examples in the wild and is most likely an internal flag
- This is to better match what
- Added the IOV buffer type
spnego.iov.BufferType.data_readonly- For SSPI this corresponds to
SECBUFFER_DATA | SECBUFFER_READONLY - For GSSAPI this corresponds to
GSS_IOV_BUFFER_TYPE_EMPTY - As GSSAPI has no actual equivalent to this the empty buffer type is used which in testing results in compatible buffers
- This is used for DCE/RPC wrapping when the PDU header and sec trailer are not signed but are included in the wrap_iov buffers.
- For SSPI this corresponds to
- Added limited support for
wrap_iovandunwrap_iovin the Python NTLM context provider.- This currently only supports
spnego.iov.BufferType.header,spnego.iov.BufferType.data,spnego.iov.BufferType.sign_only,spnego.iov.BufferType.data_readonly, andspnego.iov.BufferType.stream headerwrap_iov: Used to place the resulting signature in the bufferunwrap_iov: Used as the signature source for validation
datawrap_iov: Data to be encrypted/sealedunwrap_iov: Data to be decrypted/unsealed
sign_onlywrap_iov: Data to be included in the signature/header generationunwrap_iov: Data to be included in the signature/header verification
data_readonlyis treated the same assign_onlystreamwrap_iov: Not supportedunwrap_iov: Contains the full value to decrypt with the headers in the beginning, must be coupled with a subsequent data buffer of the typedatato place the decrypted value into
- The behaviour used here is modelled as closely as possible to how
SSPIworks but not all the permutations have been tested. - The header/signature will be generated from the
data,sign_only,data_readonlyvalues concat together in the order they are provided.
- This currently only supports
- Added the
query_message_sizes()function on a context to retrieve the important message sizes- Currently this only contains the size of the message
header, also known as the signature or security trailer
- Currently this only contains the size of the message
- Added the
spnego.ContextReq.no_integrityflag to disable integrity/confidentiality on Kerberos/Negotiate contexts- This is used by authentication contexts that need to disable integrity/confidentiality explicitly
- An example would be the LDAP SASL
GSS-SPNEGOwhere the context flags control the SSF flags
- Added optional kwargs to
step()on a security contextchannel_bindings- This can be used to supply the channel bindings when performing a context step rather than when creating the context
- Added support for decoding the following TLS payloads with
python -m spnego --token ...- Client Hello
- Server Hello
- Certificate
- Server Key Exchange
- Client Key Exchange
- Certificate Request
- Added the
new_context()method on the context proxies to provide an easy and efficient way to re-use the context credentials and options for a new context - Removed use of
gssntlmsspto simplify codebase and ensure a consistent experience across OS versions- Using NTLM on a non-Windows system will use the Python NTLM implementation instead
- Ignore
GSS_S_NO_CONTEXTerrors on GSSAPI after stepping through the token exchange before the context is complete- This is raised by MIT krb5 before 1.14.x and can be ignored
- Fix up sdist and wheels to include
py.typedtype annotation marker
- Added Python 3.11 wheel
- Drop support for Python 3.6 - new minimum is 3.7+
- Moved setuptools config into
pyproject.tomland madeCythona build requirement for Windows- For most users this is a hidden change
- If a tool follows the PEP 517 standard, like pip, this build dependency will work automatically
- The pre cythonised files are no longer included in the sdist going forward
- Fix str of enum values when running in Python 3.11 to be consistent with older versions
- Support
gssapion 1.5.x which comes with RHEL 8.
- Fix heap allocation errors when running with heap allocation monitoring on Windows
- Added custom MD4 hashing code for NTLM to use.
- Newer Linux distributions ship with OpenSSL 3.x which typically disables MD4 breaking the use of
hashlib.new('md4', b"") - Using this custom code allows NTLM to continue to work
- While it's bad to continue to use older hashing mechanisms in this case there is no valid alternative available
- Newer Linux distributions ship with OpenSSL 3.x which typically disables MD4 breaking the use of
- Call
gss_inquire_sec_context_by_oid(ctx, spnego_req_mechlistMIC_oid)when using pure NTLM over GSSAPI to ensure the token contains a MIC
- Added the
auth_stageextra_info for a CredSSP context to give a human friendly indication of what sub auth stage it is up to. - Added the
protocol_versionextra_info for a CredSSP context to return the negotiated CredSSP protocol version. - Added the
credssp_min_protocolkeyword argument for a CredSSP context to set a minimum version the caller will accept of the peer.- This can be set to
5+to ensure the peer supports and applies the mitigations for CVE-2018-0886.
- This can be set to
- Added safeguards when trying to retrieve the completed context attributes of
NegotiateProxybefore any contexts have been set up (#33)
- Add
usageargument fortls.default_tls_contextto control whether the context is for a initiator or acceptor - Add type annotations and include
py.typedin the package for downstream library use - Expose the
ContextProxyclass for type annotation use - Added
get_extra_infotoContextProxyto expose a common way to retrieve context specific information, this is currently used by CredSSP to retrieveclient_credential: The delegated client credential for acceptors once the context is completesslcontext: The SSL context used to create the TLS objectssl_object: The TLS object used during the CredSSP exchange
- The
client_credentialproperty onCredSSPhas been removed in favour of `context.get_extra_info('client_credential') - Added support for custom credential types
- Can be used to for things like NTLM authentication with NT/LM hashes, Kerberos with a keytab or from an explicit CCache, etc
- Support calling SSPI through
pyspnego's Negotiate proxy context- This allows users on Windows to still use Negotiate auth but with a complex set of credentials
- Also opens up the ability to use Negotiate but only with Kerberos auth
- The
usernameandpasswordproperty on the auth context object are deprecated and will returnNoneuntil it is removed in a future release
- Do not convert GSSAPI service to lowercase for GSSAPI and uppercase for SSPI
- SPNs are case insensitive on Windows but case sensitive on Linux
- Convering the service portion to upper or lower case could cause problems finding the target server on non-Windows GSSAPI implementations
- Changed project structure to a
srclayout - Include both Cython
pyx/pydandCfiles for SSPI in the sdist generated - Added Python 3.10 wheel
- Ensure bad SPNEGO token inputs are raised as
InvalidTokenErrorrather thanstruct.error
- Drop support for Python 2.7 and 3.5 - new minimum is 3.6+
- Made the
gss,negotiate,ntlm,sspiexports private, use thespnego.clientandspnego.serverfunctions instead- A deprecation warning is raised when importing from these package directly and this will be removed in the next major release
- Added support for CredSSP authentication using
protocol='credssp' - Allow optional keyword arguments to be used with
spnego.clientandspnego.serverto control authentication specific options
- Use Kerberos API to acquire Kerberos credential to get a forwardable token in a thread safe manner
- Fix default credential logic when no username is provided based on GSSAPI rules rather than just the default principal - #15
- Ignore SPNEGO
mechListMICif it contains the same value as theresponseTokendue to an old Windows SPNEGO logic bug - https://github.com/krb5/krb5/blob/3f5a348287646d65700854650fe668b9c4249013/src/lib/gssapi/spnego/spnego_mech.c#L3734-L3744 - Do not use SSPI when
auth='ntlm'and the password is in the form{lm_hash}:{nt_hash}
- This will be the last release that supports Python 2.7 and 3.5
- Change enum type of
iov.BufferTypetoIntEnumto fix load on Python 3.10 - #10 - Make
pyspnego-parseand entry point which uses__main__.pyin thespnegopackage- This allows Windows (and Linux) users to use the parser script by running
python -m spnego --token ...
- This allows Windows (and Linux) users to use the parser script by running
- Respect
NETBIOS_COMPUTER_NAMEwhen getting the workstation name for NTLM tokens. This matches the behaviour ofgss-ntlmsspto ensure a consistent approach.
- Only send
negState: request-micfor the first reply from an acceptor for Negotiate auth.- Strict interpretations of SPNEGO will fail if the initiator sends this state as it is against the RFC.
- Added Python 3.9 to CI and build Windows wheel for this version
- Fix up WinRM wrapping on SSPI
- Include the cython files in the built sdist
Initial release of pyspnego
- Added the
wrap_winrmandunwrap_winrmmethods to a context to cover the complexity of WinRM wrapping - Re-added
ContextReq.delegate_policyand just make it optional based on the python-gssapi version installed
- Remove
ContextReq.delegate_policybecause python-gssapi does not support flags that they do not define
- Ensure any explicit Kerberos credentials have the
forwardableflags set whenContextReq.delegateis requested - Fix protocol check to use the options passed in by the caller
- Expanded
pyspnego-parsehelp messages a bit more - Added the
yamlextras group to installruamel.yamlwhich is an optional feature forpyspengo-parse
- Fix context has been set up check on Windows initiator when running against localhost
- Ensure built wheels are not built with
linetrace=Truewhich breaks debugging in PyCharm
First beta release of pyspnego.