oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity
Files
168c9202f3e667693b0fd4cd25db14759f1a4308
heimdal/tests/kdc/check-kdc.in
Love Hörnquist Åstrand 168c9202f3 test cross realm and deleted user 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@17605 ec53bebd-3082-4978-b11e-865c3cabbd6b
2006-06-01 17:53:00 +00:00

232 lines
7.2 KiB
Bash
Raw Blame History

#!/bin/sh
#
# Copyright (c) 2006 Kungliga Tekniska Högskolan
# (Royal Institute of Technology, Stockholm, Sweden).
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
#
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
#
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
#
# 3. Neither the name of the Institute nor the names of its contributors
# may be used to endorse or promote products derived from this software
# without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#
# $Id$
#
srcdir="@srcdir@"
objdir="@objdir@"
R=EXAMPLE.ORG
R2=EXAMPLE.COM
port=8888
kadmin="../../kadmin/kadmin -l -r $R"
kdc="../../kdc/kdc --addresses=localhost -P $port"
server=host/datan.example.org
server2=host/computer.example.com
cache="FILE:${objdir}/cache.krb5"
keytabfile=${objdir}/server.keytab
keytab="FILE:${keytabfile}"
kinit="../../kuser/kinit -c $cache --no-afslog"
klist="../../kuser/klist -c $cache"
kgetcred="../../kuser/kgetcred -c $cache"
kdestroy="../../kuser/kdestroy -c $cache"
ktutil="../../admin/ktutil"
hxtool="../../lib/hx509/hxtool"
KRB5_CONFIG="${objdir}/krb5.conf"
export KRB5_CONFIG
rm -f ${keytabfile}
rm -f current-db*
rm -f out-*
rm -f mkey.file*
echo Creating database
${kadmin} \
init \
--realm-max-ticket-life=1day \
--realm-max-renewable-life=1month \
${R} || exit 1
${kadmin} \
init \
--realm-max-ticket-life=1day \
--realm-max-renewable-life=1month \
${R2} || exit 1
${kadmin} add -p foo --use-defaults foo@${R} || exit 1
${kadmin} add -p bar --use-defaults bar@${R} || exit 1
${kadmin} add -p foo --use-defaults remove@${R} || exit 1
${kadmin} add -p kaka --use-defaults ${server}@${R} || exit 1
${kadmin} ext -k ${keytab} ${server}@${R} || exit 1
${kadmin} add -p kaka --use-defaults ${server2}@${R2} || exit 1
${kadmin} ext -k ${keytab} ${server2}@${R2} || exit 1
${kadmin} add -p cross1 --use-defaults krbtgt/${R2}@${R} || exit 1
${kadmin} add -p cross2 --use-defaults krbtgt/${R}@${R2} || exit 1
${ktutil} -k ${keytab} list > tempfile || exit 1
grep -ve '^FILE:' tempfile | grep -ve '^Vno' | \
awk '/1/ !~ $1 { exit 1 }' || exit 1
${kadmin} get foo@${R} > tempfile || exit 1
enctypes=`grep Keytypes: tempfile | sed 's/(pw-salt)//g' | sed 's/,//g' | sed 's/Keytypes://'`
enctype_sans_aes=`echo $enctypes | sed 's/aes[^ ]*//g'`
echo foo > ${objdir}/foopassword
echo Starting kdc
${kdc} &
kdcpid=$!
sleep 2
if tail -1 messages.log | grep "No sockets" ; then
echo "The KDC failed to bind to any sockets, another KDC running ?"
exit 1
fi
exitcode=0
echo "initial tickets for deleted user test case"
${kinit} --password-file=${objdir}/foopassword remove@$R || exitcode=1
${kadmin} delete remove@${R} || exit 1
echo "try getting ticket with deleted user"
${kgetcred} ${server}@${R} && exitcode=1
${kdestroy}
echo "Getting client initial tickets"
${kinit} --password-file=${objdir}/foopassword foo@$R || exitcode=1
echo "Getting tickets"
${kgetcred} ${server}@${R} || exitcode=1
echo "Listing tickets"
${klist} > /dev/null || exitcode=1
./ap-req ${server}@${R} ${keytab} ${cache} || exitcode=1
${kdestroy}
for a in $enctypes; do
echo "Getting client initial tickets ($a)"
${kinit} --enctype=$a --password-file=${objdir}/foopassword foo@$R || exitcode=1
echo "Getting tickets"
${kgetcred} ${server}@${R} || exitcode=1
./ap-req ${server}@${R} ${keytab} ${cache} || exitcode=1
${kdestroy}
done
echo "Getting client initial tickets"
${kinit} --password-file=${objdir}/foopassword foo@$R || exitcode=1
for a in $enctypes; do
echo "Getting tickets ($a)"
${kgetcred} -e $a ${server}@${R} || exitcode=1
./ap-req ${server}@${R} ${keytab} ${cache} || exitcode=1
${kdestroy} --credential=${server}@${R}
done
${kdestroy}
echo "Getting client initial tickets for cross realm case"
${kinit} --password-file=${objdir}/foopassword foo@$R || exitcode=1
for a in $enctypes; do
echo "Getting cross realm tickets ($a)"
${kgetcred} -e $a ${server2}@${R2} || exitcode=1
./ap-req ${server2}@${R2} ${keytab} ${cache} || exitcode=1
${kdestroy} --credential=${server2}@${R2}
done
${kdestroy}
echo "try all permutations"
for a in $enctypes; do
echo "Getting client initial tickets ($a)"
${kinit} --enctype=$a --password-file=${objdir}/foopassword foo@$R || exitcode=1
for b in $enctypes; do
echo "Getting tickets ($a -> $b)"
${kgetcred} -e $b ${server}@${R} || exitcode=1
./ap-req ${server}@${R} ${keytab} ${cache} || exitcode=1
${kdestroy} --credential=${server}@${R}
done
${kdestroy}
done
echo "Getting server initial tickets"
${kinit} --keytab=${keytab} ${server}@$R || exitcode=1
echo "Listing tickets"
${klist} | grep "Principal: ${server}" > /dev/null || exitcode=1
${kdestroy}
#echo deleting all but aes enctypes on krbtgt
#${kadmin} del_enctype krbtgt/${R}@${R} ${enctype_sans_aes} || exit 1
#
#echo "try all permutations (only aes)"
#for a in $enctypes; do
# echo "Getting client initial tickets ($a)"
# ${kinit} --enctype=$a --password-file=${objdir}/foopassword foo@${R} || exitcode=1
# for b in $enctypes; do
# echo "Getting tickets ($a -> $b)"
# ${kgetcred} -e $b ${server}@${R} || exitcode=1
# ./ap-req ${server}@${R} ${keytab} ${cache} || exitcode=1
# ${kdestroy} --credential=${server}@${R}
# done
# ${kdestroy}
#done
rsa=yes
if ${hxtool} info | grep 'rsa: hx509 null RSA' > /dev/null ; then
rsa=no
fi
if ${kinit} --help 2>&1 | grep "CA certificates" > /dev/null; then
pkinit=yes
fi
# If we support pkinit and have RSA, lets try that
if test "$pkinit" = yes -a "$rsa" = yes ; then
echo "Trying pk-init (princiapl in certificate)"
base="${srcdir}/../../lib/hx509/data"
${kinit} -C FILE:${base}/pkinit.crt,${base}/pkinit.key bar@${R} || exitcode=1
${kgetcred} ${server}@${R} || exitcode=1
${kdestroy}
echo "Trying pk-init (princiapl in pki-mapping)"
${kinit} -C FILE:${base}/pkinit.crt,${base}/pkinit.key foo@${R} || exitcode=1
${kgetcred} ${server}@${R} || exitcode=1
${kdestroy}
echo "Trying pk-init (password protected key)"
${kinit} -C FILE:${base}/pkinit.crt,${base}/pkinit-pw.key --password-file=${objdir}/foopassword foo@${R} || exitcode=1
${kgetcred} ${server}@${R} || exitcode=1
${kdestroy}
else
echo "no pkinit (pkinit: $pkinit, rsa: $rsa)"
fi
echo "killing kdc (${kdcpid})"
kill $kdcpid || exit 1
exit $exitcode
Reference in New Issue View Git Blame Copy Permalink