[PATCH 0 of 1] Kerberos authentication support
hg at hstuart.dk
Fri Aug 7 11:15:38 CDT 2009
The following patch adds support for Kerberos authentication, but I do
not think it should go in crew just yet. Consider this post a
solicitation for a more extensive test than the one I have performed.
I would, in particular, like for this to be tested on MIT Kerberos
domains (as opposed to Active Directory domains where I have primarily
performed my tests; I've had MIT Kerberos clients, but not KDCs).
Kerberos authentication support is implemented by using existing
libraries: either sspi.py (from pywin32 on Windows) or PyKerberos
(using MIT's krb5 libraries). In particular, PyKerberos only wraps a
small subset of GSSAPI functionality, so obtaining credentials are
outside the scope of that module (whereas sspi.py can do it just
fine). I have also looked at pygss (from sourceforge) and Python-Krb5
to see whether they would be better fits, but neither seem to support
enough of the GSSAPI yet.
I have yet to test delegation support. There might be some tweaks
I have opted to make it an extension as it requires extra modules that
aren't part of the standard library. Eventually, it would probably be
nice to have this as a core functionality, as Kerberos is extensively
used in corporations, but for now it would be nice to have support for
Kerberos at all.
It would be very nice if people on Kerberos domains (realms) could
test this so it can hopefully become a part of Mercurial by version
More information about the Mercurial-devel