diff --git a/docs/html/cli/pip_install.rst b/docs/html/cli/pip_install.rst
index cfff4f7e270..3280ea787f4 100644
--- a/docs/html/cli/pip_install.rst
+++ b/docs/html/cli/pip_install.rst
@@ -225,6 +225,28 @@ overridden by using ``--cert`` option or by using ``PIP_CERT``,
``REQUESTS_CA_BUNDLE``, or ``CURL_CA_BUNDLE`` environment variables.
+.. _`Kerberos Authentication`:
+
+Kerberos Authentication
+-----------------------
+
+Starting with vXX.X, pip supports using a Kerberos ticket to authenticate
+with servers. To use Kerberos one must:
+
+- Install ``requests_kerberos`` into the same environment as ``pip`` (tested with 0.14.0).
+- Run ``pip`` with the flag ``--enable-kerberos``. Your system administrator
+ can also set this in the config files or an environment variable, see
+ :ref:`Configuration`.
+- Have a valid Kerberos ticket.
+
+Note that setting this flag *enforces* the connection uses Kerberos.
+
+Bugs reported with pip in relation to Kerberos will likely not
+be addressed directly by pip's maintainers. Pull Requests to fix Kerberos
+only bugs will be considered, and merged (subject to normal review processes).
+Note that there may be delays due to the lack of developer resources for
+reviewing such pull requests.
+
.. _`Caching`:
Caching
diff --git a/news/11090.feature.rst b/news/11090.feature.rst
new file mode 100644
index 00000000000..bbc7e80c1b8
--- /dev/null
+++ b/news/11090.feature.rst
@@ -0,0 +1 @@
+Add kerberos support for authentication with the ``--enable-kerberos`` flag.
diff --git a/src/pip/_internal/cli/cmdoptions.py b/src/pip/_internal/cli/cmdoptions.py
index c84ecabd380..a67399d5258 100644
--- a/src/pip/_internal/cli/cmdoptions.py
+++ b/src/pip/_internal/cli/cmdoptions.py
@@ -262,6 +262,16 @@ class PipOption(Option):
help="Disable prompting for input.",
)
+enable_kerberos: Callable[..., Option] = partial(
+ Option,
+ # Enable kerberos
+ "--enable-kerberos",
+ dest="enable_kerberos",
+ action="store_true",
+ default=False,
+ help="Enable Kerberos authentication.",
+)
+
proxy: Callable[..., Option] = partial(
Option,
"--proxy",
@@ -1027,6 +1037,7 @@ def check_list_path_option(options: Values) -> None:
quiet,
log,
no_input,
+ enable_kerberos,
proxy,
retries,
timeout,
diff --git a/src/pip/_internal/cli/req_command.py b/src/pip/_internal/cli/req_command.py
index aab177002d4..95a06cb9dfa 100644
--- a/src/pip/_internal/cli/req_command.py
+++ b/src/pip/_internal/cli/req_command.py
@@ -93,6 +93,7 @@ def _build_session(
retries=retries if retries is not None else options.retries,
trusted_hosts=options.trusted_hosts,
index_urls=self._get_index_urls(options),
+ enable_kerberos=options.enable_kerberos,
)
# Handle custom ca-bundles from the user
diff --git a/src/pip/_internal/network/session.py b/src/pip/_internal/network/session.py
index e2c8582e506..eb26f803c7b 100644
--- a/src/pip/_internal/network/session.py
+++ b/src/pip/_internal/network/session.py
@@ -266,6 +266,7 @@ def __init__(
cache: Optional[str] = None,
trusted_hosts: Sequence[str] = (),
index_urls: Optional[List[str]] = None,
+ enable_kerberos: bool = False,
**kwargs: Any,
) -> None:
"""
@@ -281,8 +282,23 @@ def __init__(
# Attach our User Agent to the request
self.headers["User-Agent"] = user_agent()
+ no_prompt = MultiDomainBasicAuth(prompting=False, index_urls=index_urls)
+ prompt = MultiDomainBasicAuth(prompting=True, index_urls=index_urls)
+ prompt.passwords = no_prompt.passwords # share same dict of passwords
+
# Attach our Authentication handler to the session
- self.auth = MultiDomainBasicAuth(index_urls=index_urls)
+ if enable_kerberos:
+ try:
+ from requests_kerberos import REQUIRED, HTTPKerberosAuth
+ except ImportError:
+ logger.critical(
+ "Are you sure you `requests_kerberos` and its dependencies "
+ "are available in the same environment as pip?"
+ )
+ raise
+ self.auth = HTTPKerberosAuth(REQUIRED)
+ else:
+ self.auth = MultiDomainBasicAuth(index_urls=index_urls)
# Create our urllib3.Retry instance which will allow us to customize
# how we handle retries.