ae8908bf81
This is useful for services that need not be clients. For example, an untrusted service that need only accept authentication from clients, but not initiate authentication to other services.
951 lines
35 KiB
Bash
951 lines
35 KiB
Bash
#!/bin/sh
|
|
#
|
|
# Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
|
|
# (Royal Institute of Technology, Stockholm, Sweden).
|
|
# All rights reserved.
|
|
#
|
|
# Redistribution and use in source and binary forms, with or without
|
|
# modification, are permitted provided that the following conditions
|
|
# are met:
|
|
#
|
|
# 1. Redistributions of source code must retain the above copyright
|
|
# notice, this list of conditions and the following disclaimer.
|
|
#
|
|
# 2. Redistributions in binary form must reproduce the above copyright
|
|
# notice, this list of conditions and the following disclaimer in the
|
|
# documentation and/or other materials provided with the distribution.
|
|
#
|
|
# 3. Neither the name of the Institute nor the names of its contributors
|
|
# may be used to endorse or promote products derived from this software
|
|
# without specific prior written permission.
|
|
#
|
|
# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
|
|
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
|
|
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
# SUCH DAMAGE.
|
|
|
|
top_builddir="@top_builddir@"
|
|
env_setup="@env_setup@"
|
|
objdir="@objdir@"
|
|
|
|
. ${env_setup}
|
|
|
|
KRB5_CONFIG="${1-${objdir}/krb5.conf}"
|
|
export KRB5_CONFIG
|
|
|
|
testfailed="echo test failed; cat messages.log; exit 1"
|
|
|
|
# If there is no useful db support compiled in, disable test
|
|
${have_db} || exit 77
|
|
|
|
R=TEST.H5L.SE
|
|
RH=TEST-HTTP.H5L.SE
|
|
R2=TEST2.H5L.SE
|
|
R3=TEST3.H5L.SE
|
|
R4=TEST4.H5L.SE
|
|
R5=SOME-REALM5.FR
|
|
R6=SOME-REALM6.US
|
|
R7=SOME-REALM7.UK
|
|
R8=SOME-REALM8.UK
|
|
|
|
H1=H1.$R
|
|
H2=H2.$R
|
|
H3=H3.$H2
|
|
H4=H4.$H2
|
|
|
|
r=`echo "$R" | tr '[A-Z]' '[a-z]'`
|
|
h1=`echo "${H1}" | tr '[A-Z]' '[a-z]'`
|
|
h2=`echo "${H2}" | tr '[A-Z]' '[a-z]'`
|
|
h3=`echo "${H3}" | tr '[A-Z]' '[a-z]'`
|
|
h4=`echo "${H4}" | tr '[A-Z]' '[a-z]'`
|
|
|
|
port=@port@
|
|
pwport=@pwport@
|
|
|
|
kadmin5="${kadmin} -l -r $R5"
|
|
kadmin="${kadmin} -l -r $R"
|
|
kdc="${kdc} --addresses=localhost -P $port"
|
|
kpasswdd="${kpasswdd} --addresses=localhost -p $pwport"
|
|
|
|
server=host/datan.test.h5l.se
|
|
server2=host/computer.example.com
|
|
serverip=host/10.11.12.13
|
|
serveripname=host/ip.test.h5l.org
|
|
serveripname2=host/10.11.12.14
|
|
alias1=host/datan.example.com
|
|
alias2=host/datan
|
|
aliaskeytab=host/datan
|
|
cache="FILE:${objdir}/cache.krb5"
|
|
ocache="FILE:${objdir}/ocache.krb5"
|
|
o2cache="FILE:${objdir}/o2cache.krb5"
|
|
icache="FILE:${objdir}/icache.krb5"
|
|
keytabfile=${objdir}/server.keytab
|
|
keytab="FILE:${keytabfile}"
|
|
ps="proxy-service@${R}"
|
|
aesenctype="aes256-cts-hmac-sha1-96"
|
|
|
|
kinit="${kinit} -c $cache ${afs_no_afslog}"
|
|
klist="${klist} -c $cache"
|
|
kgetcred="${kgetcred} -c $cache"
|
|
kgetcred_imp="${kgetcred} -c $cache --out-cache=${ocache}"
|
|
kdestroy="${kdestroy} -c $cache ${afs_no_unlog}"
|
|
kimpersonate="${kimpersonate} -k ${keytab} --ccache=${ocache}"
|
|
test_set_kvno0="${test_set_kvno0} -c $cache"
|
|
|
|
rm -f ${keytabfile}
|
|
rm -f current-db*
|
|
rm -f out-*
|
|
rm -f mkey.file*
|
|
|
|
> messages.log
|
|
|
|
echo Creating database
|
|
${kadmin} \
|
|
init \
|
|
--realm-max-ticket-life=1day \
|
|
--realm-max-renewable-life=1month \
|
|
${R} || exit 1
|
|
|
|
${kadmin} \
|
|
init \
|
|
--realm-max-ticket-life=1day \
|
|
--realm-max-renewable-life=1month \
|
|
${R2} || exit 1
|
|
|
|
${kadmin} \
|
|
init \
|
|
--realm-max-ticket-life=1day \
|
|
--realm-max-renewable-life=1month \
|
|
${R3} || exit 1
|
|
|
|
${kadmin} \
|
|
init \
|
|
--realm-max-ticket-life=1day \
|
|
--realm-max-renewable-life=1month \
|
|
${R4} || exit 1
|
|
|
|
${kadmin5} \
|
|
init \
|
|
--realm-max-ticket-life=1day \
|
|
--realm-max-renewable-life=1month \
|
|
${R5} || exit 1
|
|
|
|
${kadmin} \
|
|
init \
|
|
--realm-max-ticket-life=1day \
|
|
--realm-max-renewable-life=1month \
|
|
${R6} || exit 1
|
|
|
|
${kadmin} \
|
|
init \
|
|
--realm-max-ticket-life=1day \
|
|
--realm-max-renewable-life=1month \
|
|
${R7} || exit 1
|
|
|
|
${kadmin} \
|
|
init \
|
|
--realm-max-ticket-life=1day \
|
|
--realm-max-renewable-life=1month \
|
|
${R8} || exit 1
|
|
|
|
${kadmin} \
|
|
init \
|
|
--realm-max-ticket-life=1day \
|
|
--realm-max-renewable-life=1month \
|
|
${H1} || exit 1
|
|
|
|
${kadmin} \
|
|
init \
|
|
--realm-max-ticket-life=1day \
|
|
--realm-max-renewable-life=1month \
|
|
${H2} || exit 1
|
|
|
|
${kadmin} \
|
|
init \
|
|
--realm-max-ticket-life=1day \
|
|
--realm-max-renewable-life=1month \
|
|
${H3} || exit 1
|
|
|
|
${kadmin} \
|
|
init \
|
|
--realm-max-ticket-life=1day \
|
|
--realm-max-renewable-life=1month \
|
|
${H4} || exit 1
|
|
|
|
${kadmin} \
|
|
init \
|
|
--realm-max-ticket-life=1day \
|
|
--realm-max-renewable-life=1month \
|
|
${RH} || exit 1
|
|
|
|
${kadmin} cpw -r krbtgt/${R}@${R} || exit 1
|
|
${kadmin} cpw -r krbtgt/${R}@${R} || exit 1
|
|
${kadmin} cpw -r krbtgt/${R}@${R} || exit 1
|
|
${kadmin} cpw -r krbtgt/${R}@${R} || exit 1
|
|
|
|
${kadmin} add -p foo --use-defaults foo@${R} || exit 1
|
|
${kadmin} add -p foo --use-defaults foo/host.${r}@${R} || exit 1
|
|
${kadmin} add -p foo --use-defaults foo@${R2} || exit 1
|
|
${kadmin} add -p foo --use-defaults foo@${R3} || exit 1
|
|
${kadmin} add -p foo --use-defaults foo@${R4} || exit 1
|
|
${kadmin5} add -p foo --use-defaults foo@${R5} || exit 1
|
|
${kadmin} add -p foo --use-defaults foo@${R6} || exit 1
|
|
${kadmin} add -p foo --use-defaults foo@${R7} || exit 1
|
|
${kadmin} add -p foo --use-defaults foo@${R8} || exit 1
|
|
${kadmin} add -p foo --use-defaults foo@${H1} || exit 1
|
|
${kadmin} add -p foo --use-defaults foo/host.${h1}@${H1} || exit 1
|
|
${kadmin} add -p foo --use-defaults foo@${H2} || exit 1
|
|
${kadmin} add -p foo --use-defaults foo/host.${h2}@${H2} || exit 1
|
|
${kadmin} add -p foo --use-defaults foo@${H3} || exit 1
|
|
${kadmin} add -p foo --use-defaults foo/host.${h3}@${H3} || exit 1
|
|
${kadmin} add -p foo --use-defaults foo@${H4} || exit 1
|
|
${kadmin} add -p foo --use-defaults foo/host.${h4}@${H4} || exit 1
|
|
${kadmin} add -p bar --use-defaults bar@${R} || exit 1
|
|
${kadmin} add -p foo --use-defaults remove@${R} || exit 1
|
|
${kadmin} add -p nop --use-defaults ${server}@${R} || exit 1
|
|
${kadmin} cpw -p bla --keepold ${server}@${R} || exit 1
|
|
${kadmin} cpw -p kaka --keepold ${server}@${R} || exit 1
|
|
${kadmin} add -p kaka --use-defaults ${server}-des3@${R} || exit 1
|
|
${kadmin} add -p kaka --use-defaults kt-des3@${R} || exit 1
|
|
${kadmin} add -p kaka --use-defaults foo/des3-only@${R} || exit 1
|
|
${kadmin} add -p kaka --use-defaults bar/des3-only@${R} || exit 1
|
|
${kadmin} add -p kaka --use-defaults foo/aes-only@${R} || exit 1
|
|
|
|
${kadmin} add -p sens --use-defaults --attributes=disallow-forwardable sensitive@${R} || exit 1
|
|
${kadmin} add -p foo --use-defaults ${ps} || exit 1
|
|
${kadmin} modify --attributes=+trusted-for-delegation ${ps} || exit 1
|
|
${kadmin} modify --constrained-delegation=${server} ${ps} || exit 1
|
|
${kadmin} ext -k ${keytab} ${server}@${R} || exit 1
|
|
${kadmin} ext -k ${keytab} ${ps} || exit 1
|
|
|
|
${kadmin} add -p kaka --use-defaults ${server2}@${R2} || exit 1
|
|
${kadmin} ext -k ${keytab} ${server2}@${R2} || exit 1
|
|
${kadmin} add -p kaka --use-defaults ${serverip}@${R} || exit 1
|
|
${kadmin} ext -k ${keytab} ${serverip}@${R} || exit 1
|
|
${kadmin} add -p kaka --use-defaults ${serveripname}@${R} || exit 1
|
|
${kadmin} ext -k ${keytab} ${serveripname}@${R} || exit 1
|
|
${kadmin} modify --alias=${serveripname2}@${R} ${serveripname}@${R}
|
|
${kadmin} add -p foo --use-defaults remove2@${R2} || exit 1
|
|
|
|
${kadmin} add -p kaka --use-defaults ${alias1}@${R} || exit 1
|
|
${kadmin} ext -k ${keytab} ${alias1}@${R} || exit 1
|
|
${kadmin} modify --alias=${alias2}@${R} ${alias1}@${R}
|
|
|
|
${kadmin} add -p cross1 --use-defaults krbtgt/${R2}@${R} || exit 1
|
|
${kadmin} add -p cross2 --use-defaults krbtgt/${R}@${R2} || exit 1
|
|
|
|
${kadmin} add -p cross1 --use-defaults krbtgt/${R3}@${R2} || exit 1
|
|
${kadmin} add -p cross2 --use-defaults krbtgt/${R2}@${R3} || exit 1
|
|
|
|
${kadmin} add -p cross1 --use-defaults krbtgt/${R4}@${R2} || exit 1
|
|
${kadmin} add -p cross2 --use-defaults krbtgt/${R2}@${R4} || exit 1
|
|
|
|
${kadmin} add -p cross1 --use-defaults krbtgt/${R4}@${R3} || exit 1
|
|
${kadmin} add -p cross2 --use-defaults krbtgt/${R3}@${R4} || exit 1
|
|
|
|
${kadmin} add -p cross1 --use-defaults krbtgt/${R5}@${R} || exit 1
|
|
${kadmin5} add -p cross2 --use-defaults krbtgt/${R}@${R5} || exit 1
|
|
|
|
${kadmin5} add -p cross1 --use-defaults krbtgt/${R6}@${R5} || exit 1
|
|
${kadmin} add -p cross2 --use-defaults krbtgt/${R5}@${R6} || exit 1
|
|
|
|
${kadmin} add -p cross1 --use-defaults krbtgt/${R7}@${R6} || exit 1
|
|
${kadmin} add -p cross2 --use-defaults krbtgt/${R6}@${R7} || exit 1
|
|
|
|
${kadmin} add -p cross1 --use-defaults krbtgt/${R8}@${R6} || exit 1
|
|
${kadmin} add -p cross2 --use-defaults krbtgt/${R6}@${R8} || exit 1
|
|
|
|
${kadmin} add -p cross1 --use-defaults krbtgt/${H1}@${R} || exit 1
|
|
${kadmin} add -p cross2 --use-defaults krbtgt/${R}@${H1} || exit 1
|
|
|
|
${kadmin} add -p cross1 --use-defaults krbtgt/${H2}@${R} || exit 1
|
|
${kadmin} add -p cross2 --use-defaults krbtgt/${R}@${H2} || exit 1
|
|
|
|
${kadmin} add -p cross1 --use-defaults krbtgt/${H3}@${H2} || exit 1
|
|
${kadmin} add -p cross2 --use-defaults krbtgt/${H2}@${H3} || exit 1
|
|
|
|
${kadmin} add -p cross1 --use-defaults krbtgt/${H3}@${H4} || exit 1
|
|
${kadmin} add -p cross2 --use-defaults krbtgt/${H4}@${H3} || exit 1
|
|
|
|
${kadmin} add -p foo --use-defaults pw-expire@${R} || exit 1
|
|
${kadmin} modify --pw-expiration-time=+1day pw-expire@${R} || exit 1
|
|
|
|
${kadmin} add -p foo --use-defaults pw-expired@${R} || exit 1
|
|
${kadmin} modify --pw-expiration-time=2012-06-12 pw-expired@${R} || exit 1
|
|
|
|
${kadmin} add -p foo --use-defaults account-expired@${R} || exit 1
|
|
${kadmin} modify --expiration-time=2012-06-12 account-expired@${R} || exit 1
|
|
|
|
${kadmin} add -p foo --use-defaults foo@${RH} || exit 1
|
|
|
|
echo "Check parser"
|
|
${kadmin} add -p foo --use-defaults -- -p || exit 1
|
|
${kadmin} delete -- -p || exit 1
|
|
|
|
echo "Doing database check"
|
|
${kadmin} check ${R} || exit 1
|
|
${kadmin} check ${R2} || exit 1
|
|
${kadmin} check ${R3} || exit 1
|
|
${kadmin} check ${R4} || exit 1
|
|
${kadmin5} check ${R5} || exit 1
|
|
${kadmin} check ${R6} || exit 1
|
|
${kadmin} check ${R7} || exit 1
|
|
${kadmin} check ${R8} || exit 1
|
|
${kadmin} check ${H1} || exit 1
|
|
${kadmin} check ${H2} || exit 1
|
|
${kadmin} check ${H3} || exit 1
|
|
${kadmin} check ${H4} || exit 1
|
|
|
|
echo "Extracting enctypes"
|
|
${ktutil} -k ${keytab} list > tempfile || exit 1
|
|
${EGREP} -v '^FILE:' tempfile | ${EGREP} -v '^Vno' | ${EGREP} -v '^$' | \
|
|
${EGREP} -v "$server" | # we did cpw for this one
|
|
awk '$1 !~ /1/ { exit 1 }' || exit 1
|
|
${EGREP} -v '^FILE:' tempfile | ${EGREP} -v '^Vno' | ${EGREP} -v '^$' | \
|
|
${EGREP} "$server" | head -1 |
|
|
awk '$1 !~ /3/ { exit 1 }' || exit 1
|
|
|
|
|
|
${kadmin} get foo@${R} > tempfile || exit 1
|
|
enctypes=`grep Keytypes: tempfile | sed 's/(pw-salt)//g' | sed 's/,//g' | sed 's/Keytypes://' | sed 's/\[[0-9]*\]//g'`
|
|
|
|
enctype_sans_aes=`echo $enctypes | sed 's/aes[^ ]*//g'`
|
|
enctype_sans_des3=`echo $enctypes | sed 's/des3-cbc-sha1//g'`
|
|
|
|
echo "deleting all but des enctypes on kt-des3 in keytab"
|
|
${kadmin} ext -k ${keytab} kt-des3@${R} || exit 1
|
|
for a in ${enctype_sans_des3} ; do
|
|
${ktutil} -k ${keytab} remove -p kt-des3@${R} -e $a
|
|
done
|
|
|
|
echo "checking globbing keys rules"
|
|
${kadmin} get foo/des3-only@${R} > tempfile || exit 1
|
|
enctypes=`grep Keytypes: tempfile | sed 's/(pw-salt)//g' | sed 's/,//g' | sed 's/Keytypes://' | sed 's/\[[0-9]*\]//g' | sed 's/ //g'`
|
|
if [ X"$enctypes" != Xdes3-cbc-sha1 ] ; then
|
|
echo "des3 only is not only des3: $enctypes"
|
|
exit 1
|
|
fi
|
|
|
|
${kadmin} get foo/aes-only@${R} > tempfile || exit 1
|
|
enctypes=`grep Keytypes: tempfile | sed 's/(pw-salt)//g' | sed 's/,//g' | sed 's/Keytypes://' | sed 's/\[[0-9]*\]//g' | sed 's/ //g'`
|
|
if [ X"$enctypes" != Xaes256-cts-hmac-sha1-96 ] ; then
|
|
echo "aes only is not only aes: $enctypes"
|
|
exit 1
|
|
fi
|
|
|
|
|
|
echo foo > ${objdir}/foopassword
|
|
echo notfoo > ${objdir}/notfoopassword
|
|
|
|
echo Starting kdc ; > messages.log
|
|
env MallocStackLogging=1 MallocStackLoggingNoCompact=1 MallocErrorAbort=1 MallocLogFile=${objdir}/malloc-log \
|
|
${kdc} --detach --testing ||
|
|
{ echo "kdc failed to start"; exit 1; }
|
|
kdcpid=`getpid kdc`
|
|
|
|
echo Starting kpasswdd; > messages.log
|
|
env ${HEIM_MALLOC_DEBUG} ${kpasswdd} --detach ||
|
|
{ echo "kpasswdd failed to start"; exit 1; }
|
|
kpasswddpid=`getpid kpasswdd`
|
|
|
|
|
|
trap "kill -9 ${kdcpid} ${kpasswddpid}; echo signal killing kdc kpasswdd; exit 1;" EXIT
|
|
|
|
ec=0
|
|
|
|
echo "Getting client initial tickets with wrong password"; > messages.log
|
|
${kadmin} modify --attributes=+disallow-client ${server} || exit 1
|
|
${kinit} --password-file=${objdir}/notfoopassword \
|
|
foo@${R} 2>kinit-log.tmp && \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
grep 'Password incorrect' kinit-log.tmp > /dev/null || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
echo "Getting client initial tickets"; > messages.log
|
|
${kinit} --password-file=${objdir}/foopassword foo@$R || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
echo "Doing krbtgt key rollover"; > messages.log
|
|
${kadmin} cpw -r --keepold krbtgt/${R}@${R} || exit 1
|
|
echo "Getting tickets"; > messages.log
|
|
${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
|
|
echo "Listing tickets"; > messages.log
|
|
${klist} > /dev/null || { ec=1 ; eval "${testfailed}"; }
|
|
${test_ap_req} ${server}@${R} ${keytab} ${cache} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy}
|
|
|
|
echo "Getting client initial tickets (http transport)"; > messages.log
|
|
${kinit} --password-file=${objdir}/foopassword foo@${RH} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy}
|
|
|
|
echo "Testing capaths logic"
|
|
${kinit} --password-file=${objdir}/foopassword \
|
|
-e ${aesenctype} -e ${aesenctype} \
|
|
foo@$R || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
|
|
echo "Getting x-realm tickets with capaths for $R -> $R2"
|
|
${kgetcred} foo@${R2} || { ec=1 ; eval "${testfailed}"; }
|
|
echo "Getting x-realm tickets with capaths for $R -> $R3"
|
|
${kgetcred} foo@${R3} || { ec=1 ; eval "${testfailed}"; }
|
|
echo "Getting x-realm tickets with capaths for $R -> $R4"
|
|
${kgetcred} foo@${R4} || { ec=1 ; eval "${testfailed}"; }
|
|
echo "Getting x-realm tickets with capaths for $R -> $R5"
|
|
${kgetcred} foo@${R5} || { ec=1 ; eval "${testfailed}"; }
|
|
echo "Getting x-realm tickets with capaths for $R -> $R6"
|
|
${kgetcred} foo@${R6} || { ec=1 ; eval "${testfailed}"; }
|
|
echo "Getting x-realm tickets with capaths for $R -> $R7"
|
|
${kgetcred} foo@${R7} || { ec=1 ; eval "${testfailed}"; }
|
|
echo "Should not get x-realm tickets with capaths for $R -> $R8"
|
|
${kgetcred} foo@${R8} && { ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy}
|
|
|
|
echo "Testing capaths logic (reverse order)"
|
|
${kinit} --password-file=${objdir}/foopassword \
|
|
-e ${aesenctype} -e ${aesenctype} \
|
|
foo@$R || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
|
|
echo "Getting x-realm tickets with capaths for $R -> $R4"
|
|
${kgetcred} foo@${R4} || { ec=1 ; eval "${testfailed}"; }
|
|
echo "Getting x-realm tickets with capaths for $R -> $R3"
|
|
${kgetcred} foo@${R3} || { ec=1 ; eval "${testfailed}"; }
|
|
echo "Getting x-realm tickets with capaths for $R -> $R2"
|
|
${kgetcred} foo@${R2} || { ec=1 ; eval "${testfailed}"; }
|
|
echo "Getting x-realm tickets with capaths for $R -> $R7"
|
|
${kgetcred} foo@${R7} || { ec=1 ; eval "${testfailed}"; }
|
|
echo "Getting x-realm tickets with capaths for $R -> $R6"
|
|
${kgetcred} foo@${R6} || { ec=1 ; eval "${testfailed}"; }
|
|
echo "Getting x-realm tickets with capaths for $R -> $R5"
|
|
${kgetcred} foo@${R5} || { ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy}
|
|
|
|
echo "Testing hierarchical referral logic"
|
|
${kinit} --password-file=${objdir}/foopassword \
|
|
-e ${aesenctype} -e ${aesenctype} \
|
|
foo@${H3} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
|
|
echo "Getting x-realm tickets with hierarchical referrals for $H3 -> $H1"
|
|
${kgetcred} --hostbased --canonicalize foo host.${h1} || { ec=1 ; eval "${testfailed}"; }
|
|
fgrep "cross-realm ${H3} -> ${H1} via [${H2}, ${R}]" messages.log > /dev/null || { ec=1 ; eval "${testfailed}"; }
|
|
echo "Getting x-realm tickets with hierarchical referrals for $H3 -> $R"
|
|
${kgetcred} --hostbased --canonicalize foo host.${r} || { ec=1 ; eval "${testfailed}"; }
|
|
fgrep "cross-realm ${H3} -> ${R} via [${H2}]" messages.log > /dev/null || { ec=1 ; eval "${testfailed}"; }
|
|
echo "Getting x-realm tickets with hierarchical referrals for $H3 -> $H2"
|
|
${kgetcred} --hostbased --canonicalize foo host.${h2} || { ec=1 ; eval "${testfailed}"; }
|
|
fgrep "cross-realm ${H3} -> ${H2}" messages.log > /dev/null || { ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy}
|
|
|
|
echo "Testing multi-hop [capaths] referral logic"
|
|
${kinit} --password-file=${objdir}/foopassword \
|
|
-e ${aesenctype} -e ${aesenctype} \
|
|
foo@${H4} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
|
|
echo "Getting x-realm tickets with [capaths] referrals for $H4 -> $H1"
|
|
${kgetcred} --hostbased --canonicalize foo/host.${h1}@${H4} || { ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy}
|
|
|
|
echo "Testing forwardable/renewable flag copying in TGS-REQ"
|
|
${kinit} -f --renewable -r 5d --password-file=${objdir}/foopassword foo@$R || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
|
|
${klist} -f | grep ${server} | grep FRA > /dev/null || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
|
|
echo "Testing strip of forwardable when the server is disallowed in TGS-REQ"
|
|
${kgetcred} sensitive@${R} || { ec=1 ; eval "${testfailed}"; }
|
|
${klist} -f | grep sensitive | grep FRA > /dev/null && \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
|
|
echo "Specific enctype"; > messages.log
|
|
${kinit} --password-file=${objdir}/foopassword \
|
|
-e ${aesenctype} -e ${aesenctype} \
|
|
foo@$R || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
|
|
for a in $enctypes; do
|
|
echo "Getting client initial tickets ($a)"; > messages.log
|
|
${kinit} --enctype=$a --password-file=${objdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; }
|
|
echo "Getting tickets"; > messages.log
|
|
${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
|
|
${test_ap_req} ${server}@${R} ${keytab} ${cache} || { ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy}
|
|
done
|
|
|
|
|
|
echo "Getting client initial tickets"; > messages.log
|
|
${kinit} --password-file=${objdir}/foopassword foo@$R || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
for a in $enctypes; do
|
|
echo "Getting tickets ($a)"; > messages.log
|
|
${kgetcred} -e $a ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
|
|
${test_ap_req} ${server}@${R} ${keytab} ${cache} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy} --credential=${server}@${R}
|
|
done
|
|
${kdestroy}
|
|
|
|
echo "Getting client authenticated anonymous initial tickets"; > messages.log
|
|
${kinit} -n --password-file=${objdir}/foopassword foo@$R || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
for a in $enctypes; do
|
|
echo "Getting tickets ($a)"; > messages.log
|
|
${kgetcred} -e $a ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
|
|
${test_ap_req} ${server}@${R} ${keytab} ${cache} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy} --credential=${server}@${R}
|
|
done
|
|
${kdestroy}
|
|
|
|
echo "Getting client anonymous service tickets"; > messages.log
|
|
${kinit} --password-file=${objdir}/foopassword foo@$R || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
for a in $enctypes; do
|
|
echo "Getting tickets ($a)"; > messages.log
|
|
${kgetcred} -n -e $a ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
|
|
${test_ap_req} ${server}@${R} ${keytab} ${cache} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy} --credential=${server}@${R}
|
|
done
|
|
${kdestroy}
|
|
|
|
echo "Getting client initial tickets for cross realm case"; > messages.log
|
|
${kinit} --password-file=${objdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; }
|
|
for a in $enctypes; do
|
|
echo "Getting cross realm tickets ($a)"; > messages.log
|
|
${kgetcred} -e $a ${server2}@${R2} || { ec=1 ; eval "${testfailed}"; }
|
|
echo " checking we we got back right ticket"
|
|
${klist} | grep ${server2}@ > /dev/null || { ec=1 ; eval "${testfailed}"; }
|
|
echo " checking if ticket is useful"
|
|
${test_ap_req} ${server2}@${R2} ${keytab} ${cache} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy} --credential=${server2}@${R2}
|
|
done
|
|
${kdestroy}
|
|
|
|
echo "Trying x-realm TGT with kvno 0 case";
|
|
${kinit} --password-file=${objdir}/foopassword foo@$R ||
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${test_set_kvno0} || { ec=1 ; eval "${testfailed}"; }
|
|
echo "Getting cross realm tickets"; > messages.log
|
|
${kgetcred} krbtgt/${R2}@${R} || { ec=1 ; eval "${testfailed}"; }
|
|
${test_set_kvno0} || { ec=1 ; eval "${testfailed}"; }
|
|
echo "Getting service ticket"; > messages.log
|
|
${kgetcred} ${server2}@${R2} || { ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy}
|
|
|
|
echo "Trying x-realm TGT with kvno 0 case with key rollover";
|
|
${kinit} --password-file=${objdir}/foopassword foo@$R ||
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${test_set_kvno0} || { ec=1 ; eval "${testfailed}"; }
|
|
echo "Getting cross realm tickets"; > messages.log
|
|
${kgetcred} krbtgt/${R2}@${R} || { ec=1 ; eval "${testfailed}"; }
|
|
echo "Rolling over cross realm keys"; > messages.log
|
|
${kadmin} cpw -r --keepold krbtgt/${R}@${R} || { ec=1 ; eval "${testfailed}"; }
|
|
${kadmin} cpw -r --keepold krbtgt/${R2}@${R} || { ec=1 ; eval "${testfailed}"; }
|
|
${kadmin} cpw -r --keepold krbtgt/${R}@${R2} || { ec=1 ; eval "${testfailed}"; }
|
|
${test_set_kvno0} || { ec=1 ; eval "${testfailed}"; }
|
|
echo "Getting service ticket"; > messages.log
|
|
echo "Start tracing kdc, then hit return"
|
|
${kgetcred} ${server2}@${R2} || { ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy}
|
|
|
|
echo "Trying x-realm TGT with no kvno case";
|
|
${kinit} --password-file=${objdir}/foopassword foo@$R ||
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${test_set_kvno0} -n || { ec=1 ; eval "${testfailed}"; }
|
|
echo "Getting cross realm tickets"; > messages.log
|
|
${kgetcred} krbtgt/${R2}@${R} || { ec=1 ; eval "${testfailed}"; }
|
|
${test_set_kvno0} -n || { ec=1 ; eval "${testfailed}"; }
|
|
echo "Getting service ticket"; > messages.log
|
|
${kgetcred} ${server2}@${R2} || { ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy}
|
|
|
|
echo "Trying x-realm TGT with no kvno case with key rollover";
|
|
${kinit} --password-file=${objdir}/foopassword foo@$R ||
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${test_set_kvno0} -n || { ec=1 ; eval "${testfailed}"; }
|
|
echo "Getting cross realm tickets"; > messages.log
|
|
${kgetcred} krbtgt/${R2}@${R} || { ec=1 ; eval "${testfailed}"; }
|
|
echo "Rolling over cross realm keys"; > messages.log
|
|
${kadmin} cpw -r --keepold krbtgt/${R}@${R} || { ec=1 ; eval "${testfailed}"; }
|
|
${kadmin} cpw -r --keepold krbtgt/${R2}@${R} || { ec=1 ; eval "${testfailed}"; }
|
|
${kadmin} cpw -r --keepold krbtgt/${R}@${R2} || { ec=1 ; eval "${testfailed}"; }
|
|
${test_set_kvno0} -n || { ec=1 ; eval "${testfailed}"; }
|
|
echo "Getting service ticket"; > messages.log
|
|
echo "Start tracing kdc, then hit return"
|
|
${kgetcred} ${server2}@${R2} || { ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy}
|
|
|
|
echo "try all permutations"; > messages.log
|
|
for a in $enctypes; do
|
|
echo "Getting client initial tickets ($a)"; > messages.log
|
|
${kinit} --enctype=$a --password-file=${objdir}/foopassword foo@$R || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
for b in $enctypes; do
|
|
echo "Getting tickets ($a -> $b)"; > messages.log
|
|
${kgetcred} -e $b ${server}@${R} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${test_ap_req} ${server}@${R} ${keytab} ${cache} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy} --credential=${server}@${R}
|
|
done
|
|
${kdestroy}
|
|
done
|
|
|
|
echo "Getting client initial tickets ip based name"; > messages.log
|
|
${kinit} --password-file=${objdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; }
|
|
echo "Getting ip based name tickets"; > messages.log
|
|
${kgetcred} ${serverip}@${R} || { ec=1 ; eval "${testfailed}"; }
|
|
echo " checking we we got back right ticket"
|
|
${klist} | grep ${serverip}@ > /dev/null || { ec=1 ; eval "${testfailed}"; }
|
|
echo " checking if ticket is useful"
|
|
${test_ap_req} ${serverip}@${R} ${keytab} ${cache} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy}
|
|
|
|
echo "Getting client initial tickets ip based name (alias)"; > messages.log
|
|
${kinit} --password-file=${objdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; }
|
|
for a in ${serveripname} ${serveripname2} ; do
|
|
echo "Getting ip based name tickets (alias) $a"; > messages.log
|
|
${kgetcred} ${a}@${R} || { ec=1 ; eval "${testfailed}"; }
|
|
echo " checking we we got back right ticket"
|
|
${klist} | grep ${a}@ > /dev/null || { ec=1 ; eval "${testfailed}"; }
|
|
echo " checking if ticket is useful"
|
|
${test_ap_req} --server-any ${a}@${R} ${keytab} ${cache} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
done
|
|
${kdestroy}
|
|
|
|
echo "Getting server initial tickets"; > messages.log
|
|
${kinit} --keytab=${keytab} ${server}@$R && { ec=1 ; eval "${testfailed}"; }
|
|
${kadmin} modify --attributes=-disallow-client ${server} || exit 1
|
|
${kinit} --keytab=${keytab} ${server}@$R || { ec=1 ; eval "${testfailed}"; }
|
|
echo "Listing tickets"; > messages.log
|
|
${klist} | grep "Principal: ${server}" > /dev/null || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy}
|
|
|
|
echo "Getting key for key that are a subset in keytab compared to kdb"
|
|
${kinit} --keytab=${keytab} kt-des3@${R}
|
|
${klist} | grep "Principal: kt-des3" > /dev/null || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy}
|
|
|
|
echo "initial tickets for deleted user test case"; > messages.log
|
|
${kinit} --password-file=${objdir}/foopassword remove@$R || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kadmin} delete remove@${R} || { ec=1 ; eval "${testfailed}"; }
|
|
echo "try getting ticket with deleted user"; > messages.log
|
|
${kgetcred} ${server}@${R} 2> /dev/null && { ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy}
|
|
|
|
echo "cross realm case (deleted user)"; > messages.log
|
|
${kinit} --password-file=${objdir}/foopassword remove2@$R2 || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kgetcred} krbtgt/${R}@${R2} 2> /dev/null || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kadmin} delete remove2@${R2} || exit 1
|
|
${kgetcred} ${server}@${R} 2> /dev/null || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy}
|
|
|
|
echo "rename user"; > messages.log
|
|
${kadmin} add -p foo --use-defaults rename@${R} || exit 1
|
|
${kinit} --password-file=${objdir}/foopassword rename@${R} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kadmin} rename rename@${R} rename2@${R} || exit 1
|
|
${kinit} --password-file=${objdir}/foopassword rename2@${R} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy}
|
|
${kadmin} delete rename2@${R} || exit 1
|
|
|
|
echo "rename user to another realm"; > messages.log
|
|
${kadmin} add -p foo --use-defaults rename@${R} || exit 1
|
|
${kinit} --password-file=${objdir}/foopassword rename@${R} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kadmin} rename rename@${R} rename@${R2} || exit 1
|
|
${kinit} --password-file=${objdir}/foopassword rename@${R2} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy}
|
|
${kadmin} delete rename@${R2} || exit 1
|
|
|
|
echo deleting all but aes enctypes on krbtgt
|
|
${kadmin} del_enctype krbtgt/${R}@${R} ${enctype_sans_aes} || exit 1
|
|
|
|
echo deleting all but des enctypes on server-des3
|
|
${kadmin} del_enctype ${server}-des3@${R} ${enctype_sans_des3} || exit 1
|
|
${kadmin} ext -k ${keytab} ${server}-des3@${R} || exit 1
|
|
|
|
echo "try all permutations (only aes)"; > messages.log
|
|
for a in $enctypes; do
|
|
echo "Getting client initial tickets ($a)"; > messages.log
|
|
${kinit} --enctype=$a --password-file=${objdir}/foopassword foo@${R} ||\
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
for b in $enctypes; do
|
|
echo "Getting tickets ($a -> $b)"; > messages.log
|
|
${kgetcred} -e $b ${server}@${R} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${test_ap_req} ${server}@${R} ${keytab} ${cache} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
|
|
echo "Getting tickets ($a -> $b) (server des3 only)"; > messages.log
|
|
${kgetcred} ${server}-des3@${R} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${test_ap_req} ${server}-des3@${R} ${keytab} ${cache} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
|
|
${kdestroy} --credential=${server}@${R}
|
|
${kdestroy} --credential=${server}-des3@${R}
|
|
done
|
|
${kdestroy}
|
|
done
|
|
|
|
echo deleting all enctypes on krbtgt
|
|
${kadmin} del_enctype krbtgt/${R}@${R} aes256-cts-hmac-sha1-96 || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
echo "try initial ticket w/o and keys on krbtgt"
|
|
${kinit} --password-file=${objdir}/foopassword foo@${R} 2>/dev/null && \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
echo "adding random aes key"
|
|
${kadmin} add_enctype -r krbtgt/${R}@${R} aes256-cts-hmac-sha1-96 || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
echo "try initial ticket with random aes key on krbtgt"
|
|
${kinit} --password-file=${objdir}/foopassword foo@${R} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy}
|
|
|
|
rsa=yes
|
|
ecdsa=yes
|
|
pkinit=no
|
|
if ${hxtool} info | grep 'rsa: hx509 null RSA' > /dev/null ; then
|
|
rsa=no
|
|
fi
|
|
if ${hxtool} info | grep 'rand: not available' > /dev/null ; then
|
|
rsa=no
|
|
fi
|
|
if ${kinit} --help 2>&1 | grep "CA certificates" > /dev/null; then
|
|
pkinit=yes
|
|
fi
|
|
|
|
if ${hxtool} info | grep 'ecdsa: hcrypto null' > /dev/null ; then
|
|
ecdsa=no
|
|
fi
|
|
|
|
|
|
# If we support pkinit and have RSA, lets try that
|
|
if test "$pkinit" = yes -a "$rsa" = yes ; then
|
|
|
|
echo "try anonymous pkinit"; > messages.log
|
|
${kinit} --renewable -n @${R} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
|
|
${kinit} --renew || { ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy}
|
|
|
|
for type in "" "--pk-use-enckey"; do
|
|
echo "Trying pk-init (principal in certificate) $type"; > messages.log
|
|
${kinit} $type -C FILE:${hx509_data}/pkinit.crt,${hx509_data}/pkinit.key bar@${R} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy}
|
|
|
|
echo "Trying pk-init (principal in pki-mapping) $type"; > messages.log
|
|
${kinit} $type -C FILE:${hx509_data}/pkinit.crt,${hx509_data}/pkinit.key foo@${R} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy}
|
|
|
|
echo "Trying pk-init (password protected key) $type"; > messages.log
|
|
${kinit} $type -C FILE:${hx509_data}/pkinit.crt,${hx509_data}/pkinit-pw.key --password-file=${objdir}/foopassword foo@${R} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kgetcred} ${server}@${R} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy}
|
|
|
|
echo "Trying pk-init (proxy cert) $type"; > messages.log
|
|
${kinit} $type -C FILE:${hx509_data}/pkinit-proxy-chain.crt,${hx509_data}/pkinit-proxy.key foo@${R} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy}
|
|
|
|
done
|
|
|
|
if test "$ecdsa" = yes > /dev/null ; then
|
|
echo "Trying pk-init (ec certificate)"
|
|
> messages.log
|
|
${kinit} -C FILE:${hx509_data}/pkinit-ec.crt,${hx509_data}/pkinit-ec.key bar@${R} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy}
|
|
grep 'PK-INIT using ecdh' messages.log > /dev/null || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
fi
|
|
|
|
else
|
|
echo "no pkinit (pkinit: $pkinit, rsa: $rsa)"; > messages.log
|
|
fi
|
|
|
|
echo "test impersonate using rc4 based tgt"; > messages.log
|
|
${kinit} -e arcfour-hmac-md5 --forwardable --password-file=${objdir}/foopassword ${ps} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kgetcred_imp} --impersonate=bar@${R} ${ps} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${test_ap_req} ${ps} ${keytab} ${ocache} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
|
|
echo "tickets for impersonate test case"; > messages.log
|
|
${kinit} --forwardable --password-file=${objdir}/foopassword ${ps} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kgetcred_imp} --impersonate=bar@${R} ${ps} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${test_ap_req} ${ps} ${keytab} ${ocache} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
echo " negative check"
|
|
${kgetcred_imp} --impersonate=bar@${R} foo@${R} 2>/dev/null && \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
|
|
echo "test impersonate unknown client"; > messages.log
|
|
${kgetcred_imp} --forward --impersonate=unknown@${R} ${ps} && \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
|
|
echo "test impersonate account-expired client"; > messages.log
|
|
${kgetcred_imp} --forward --impersonate=account-expired@${R} ${ps} && \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
|
|
echo "test impersonate pw-expired client"; > messages.log
|
|
${kgetcred_imp} --forward --impersonate=pw-expired@${R} ${ps} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
|
|
echo "test delegate sensitive client"; > messages.log
|
|
${kgetcred_imp} --forward --impersonate=sensitive@${R} ${ps} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kgetcred} \
|
|
--out-cache=${o2cache} \
|
|
--delegation-credential-cache=${ocache} \
|
|
${server}@${R} && \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
|
|
echo "test constrained delegation"; > messages.log
|
|
${kgetcred_imp} --forward --impersonate=bar@${R} ${ps} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kgetcred} \
|
|
--out-cache=${o2cache} \
|
|
--delegation-credential-cache=${ocache} \
|
|
${server}@${R} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
echo " try using the credential"
|
|
${test_ap_req} ${server}@${R} ${keytab} ${o2cache} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
echo " negative check"
|
|
${kgetcred} \
|
|
--out-cache=${o2cache} \
|
|
--delegation-credential-cache=${ocache} \
|
|
bar@${R} 2>/dev/null && \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
|
|
echo "test constrained delegation impersonation (non forward)"; > messages.log
|
|
rm -f ocache.krb5
|
|
${kimpersonate} -s ${ps} -c bar@${R} -t ${aesenctype} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kgetcred} --out-cache=${o2cache} --delegation-credential-cache=${ocache} ${server}@${R} > /dev/null 2>/dev/null && \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
|
|
echo "test constrained delegation impersonation (missing KRB5SignedPath)"; > messages.log
|
|
rm -f ocache.krb5
|
|
${kimpersonate} -s ${ps} -c bar@${R} -t ${aesenctype} -f forwardable || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kgetcred} --out-cache=${o2cache} --delegation-credential-cache=${ocache} ${server}@${R} > /dev/null 2>/dev/null && \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
|
|
${kdestroy}
|
|
|
|
echo "check renewing" > messages.log
|
|
${kinit} --renewable --password-file=${objdir}/foopassword foo@$R || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
echo "kinit -R"
|
|
${kinit} -R || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
echo "check renewing MIT interface" > messages.log
|
|
${kinit} --renewable --password-file=${objdir}/foopassword foo@$R || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
echo "test_renew"
|
|
env KRB5CCNAME=${cache} ${test_renew} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy}
|
|
|
|
echo "checking server aliases"; > messages.log
|
|
${kinit} --password-file=${objdir}/foopassword foo@$R || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
echo "Getting tickets"; > messages.log
|
|
${kgetcred} ${alias1}@${R} || { ec=1 ; eval "${testfailed}"; }
|
|
${kgetcred} ${alias2}@${R} || { ec=1 ; eval "${testfailed}"; }
|
|
echo " verify entry in keytab"
|
|
${test_ap_req} ${alias1}@${R} ${keytab} ${cache} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
echo " verify entry in keytab with any"
|
|
${test_ap_req} --server-any ${alias1}@${R} ${keytab} ${cache} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
echo " verify failure with alias entry"
|
|
${test_ap_req} ${alias2}@${R} ${keytab} ${cache} 2>/dev/null && \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
echo " verify alias entry in keytab with any"
|
|
${test_ap_req} --server-any ${alias2}@${R} ${keytab} ${cache} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy}
|
|
|
|
echo "testing removal of keytab"
|
|
${ktutil} -k ${keytab} destroy || { ec=1 ; eval "${testfailed}"; }
|
|
test -f ${keytabfile} && { ec=1 ; eval "${testfailed}"; }
|
|
|
|
echo "Checking client pw expire"; > messages.log
|
|
${kinit} --password-file=${objdir}/foopassword \
|
|
pw-expire@${R} 2>kinit-log.tmp|| \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
grep 'Your password will expire' kinit-log.tmp > /dev/null || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
echo " kinit passes"
|
|
${test_gic} --client=pw-expire@${R} --password=foo > kinit-log.tmp 2>/dev/null
|
|
${EGREP} "^e type: 6" kinit-log.tmp > /dev/null || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
echo " test_gic passes"
|
|
${kdestroy}
|
|
|
|
echo "Checking password expiration" ; > messages.log
|
|
|
|
kinitpty=${objdir}/foopassword.rkpty
|
|
cat > ${kinitpty} <<EOF
|
|
expect Password
|
|
password foo\n
|
|
expect Password has expired
|
|
expect New password
|
|
password Foobar11\n
|
|
expect password
|
|
password Foobar11\n
|
|
expect Success: Password changed
|
|
EOF
|
|
|
|
echo "Checking client pw expire"; > messages.log
|
|
${rkpty} ${kinitpty} ${kinit} pw-expired@${R}|| \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
|
|
${kdestroy}
|
|
|
|
|
|
echo "killing kdc (${kdcpid}) kpasswdd (${kpasswddpid})"
|
|
sh ${leaks_kill} kdc $kdcpid || exit 1
|
|
sh ${leaks_kill} kpasswdd $kpasswddpid || exit 1
|
|
|
|
trap "" EXIT
|
|
|
|
exit $ec
|