kerberos with urllib2 proof of concept

Tim Olsen tim at brooklynpenguin.com
Tue Jun 24 14:43:10 CDT 2008


Martin Scholl inquired a few months ago whether kerberos HTTP
authentication support was planned [1].  Ezra Smith had replied back
that he had tried to do NTLM authentication (which also uses Negotiate)
but couldn't get it to work using urllib2 because it required a
persistent connection [2].

I have succeeded in authenticating to a kerberized HTTP server using
urllib2 and the pykerberos library from Apple [3, 4].  A proof of
concept script is attached.  To run it, pass the kerberos-protected url
you would like to fetch as a command-line argument to the script.

It appears that unlike NTLM authentication, kerberos only requires one
401 response before giving back a 200.  That may be a reason that
kerberos auth is possible with urllib2, but NTLM is not.

I'm going to see now if I can write a plugin to add kerberos support to
mercurial.  I'm fairly new to python so it could take me a while ;-)

Cheers,
Tim

[1] http://selenic.com/pipermail/mercurial/2008-March/018191.html
[2] http://selenic.com/pipermail/mercurial/2008-March/018217.html
[3] http://trac.calendarserver.org/browser/PyKerberos/trunk
[4] http://packages.debian.org/search?keywords=python-kerberos
-------------- next part --------------
A non-text attachment was scrubbed...
Name: http_negotiate_auth_handler.py
Type: text/x-python
Size: 4148 bytes
Desc: not available
Url : http://selenic.com/pipermail/mercurial/attachments/20080624/ec728dbb/attachment.py 


More information about the Mercurial mailing list