1acb961bc1
We introduced a notion of soft vs. hard aliases in the previous commit (hdb: Distinguish soft and hard principal aliases). This commit corrects existing test cases and adds new test cases. Soft aliases allow for the configuration of referrals using HDB entries. Hard aliases are like copies of the aliased HDB entries. These are useful for renaming principals (and realms). See the preceding commit.
1098 lines
42 KiB
Bash
1098 lines
42 KiB
Bash
#!/bin/sh
|
|
#
|
|
# Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
|
|
# (Royal Institute of Technology, Stockholm, Sweden).
|
|
# All rights reserved.
|
|
#
|
|
# Redistribution and use in source and binary forms, with or without
|
|
# modification, are permitted provided that the following conditions
|
|
# are met:
|
|
#
|
|
# 1. Redistributions of source code must retain the above copyright
|
|
# notice, this list of conditions and the following disclaimer.
|
|
#
|
|
# 2. Redistributions in binary form must reproduce the above copyright
|
|
# notice, this list of conditions and the following disclaimer in the
|
|
# documentation and/or other materials provided with the distribution.
|
|
#
|
|
# 3. Neither the name of the Institute nor the names of its contributors
|
|
# may be used to endorse or promote products derived from this software
|
|
# without specific prior written permission.
|
|
#
|
|
# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
|
|
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
|
|
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
# SUCH DAMAGE.
|
|
|
|
top_builddir="@top_builddir@"
|
|
env_setup="@env_setup@"
|
|
objdir="@objdir@"
|
|
|
|
. ${env_setup}
|
|
|
|
KRB5_CONFIG="${1-${objdir}/krb5.conf}"
|
|
export KRB5_CONFIG
|
|
|
|
testfailed="echo test failed; cat messages.log; exit 1"
|
|
|
|
# If there is no useful db support compiled in, disable test
|
|
${have_db} || exit 77
|
|
|
|
R=TEST.H5L.SE
|
|
RH=TEST-HTTP.H5L.SE
|
|
R2=TEST2.H5L.SE
|
|
R3=TEST3.H5L.SE
|
|
R4=TEST4.H5L.SE
|
|
R5=SOME-REALM5.FR
|
|
R6=SOME-REALM6.US
|
|
R7=SOME-REALM7.UK
|
|
R8=SOME-REALM8.UK
|
|
|
|
H1=H1.$R
|
|
H2=H2.$R
|
|
H3=H3.$H2
|
|
H4=H4.$H2
|
|
|
|
r=`echo "$R" | tr '[A-Z]' '[a-z]'`
|
|
h1=`echo "${H1}" | tr '[A-Z]' '[a-z]'`
|
|
h2=`echo "${H2}" | tr '[A-Z]' '[a-z]'`
|
|
h3=`echo "${H3}" | tr '[A-Z]' '[a-z]'`
|
|
h4=`echo "${H4}" | tr '[A-Z]' '[a-z]'`
|
|
|
|
port=@port@
|
|
pwport=@pwport@
|
|
|
|
kadmin5="${kadmin} -l -r $R5"
|
|
kadmin="${kadmin} -l -r $R"
|
|
kdc="${kdc} --addresses=localhost -P $port"
|
|
kpasswdd="${kpasswdd} --addresses=localhost -p $pwport"
|
|
|
|
server=host/datan.test.h5l.se
|
|
server2=host/computer.example.com
|
|
server3=host/refer-me-out.test.h5l.se
|
|
server4=host/no-auth-data-reqd.test.h5l.se
|
|
server5=host/a-host.refer-all-out.test.h5l.se
|
|
namespace=WELLKNOWN/HOSTBASED-NAMESPACE/_/refer-all-out.test.h5l.se
|
|
serverip=host/10.11.12.13
|
|
serveripname=host/ip.test.h5l.org
|
|
serveripname2=host/10.11.12.14
|
|
alias1=host/datan.example.com
|
|
alias2=host/datan
|
|
aliaskeytab=host/datan
|
|
cache="FILE:${objdir}/cache.krb5"
|
|
ocache="FILE:${objdir}/ocache.krb5"
|
|
o2cache="FILE:${objdir}/o2cache.krb5"
|
|
icache="FILE:${objdir}/icache.krb5"
|
|
keytabfile=${objdir}/server.keytab
|
|
keytab="FILE:${keytabfile}"
|
|
ps="proxy-service@${R}"
|
|
rps="restricted-proxy-service@${R}"
|
|
aesenctype="aes256-cts-hmac-sha1-96"
|
|
|
|
kinit="${kinit} -c $cache ${afs_no_afslog}"
|
|
klist2="${klist} -c $o2cache"
|
|
klist="${klist} -c $cache"
|
|
kgetcred="${kgetcred} -c $cache"
|
|
kgetcred_imp="${kgetcred} -c $cache --out-cache=${ocache}"
|
|
kdestroy="${kdestroy} -c $cache ${afs_no_unlog}"
|
|
kimpersonate="${kimpersonate} -k ${keytab} --ccache=${ocache}"
|
|
test_set_kvno0="${test_set_kvno0} -c $cache"
|
|
|
|
rm -f ${keytabfile}
|
|
rm -f current-db*
|
|
rm -f out-*
|
|
rm -f mkey.file*
|
|
|
|
> messages.log
|
|
|
|
echo Creating database
|
|
${kadmin} \
|
|
init \
|
|
--realm-max-ticket-life=1day \
|
|
--realm-max-renewable-life=1month \
|
|
${R} || exit 1
|
|
|
|
${kadmin} \
|
|
init \
|
|
--realm-max-ticket-life=1day \
|
|
--realm-max-renewable-life=1month \
|
|
${R2} || exit 1
|
|
|
|
${kadmin} \
|
|
init \
|
|
--realm-max-ticket-life=1day \
|
|
--realm-max-renewable-life=1month \
|
|
${R3} || exit 1
|
|
|
|
${kadmin} \
|
|
init \
|
|
--realm-max-ticket-life=1day \
|
|
--realm-max-renewable-life=1month \
|
|
${R4} || exit 1
|
|
|
|
${kadmin5} \
|
|
init \
|
|
--realm-max-ticket-life=1day \
|
|
--realm-max-renewable-life=1month \
|
|
${R5} || exit 1
|
|
|
|
${kadmin} \
|
|
init \
|
|
--realm-max-ticket-life=1day \
|
|
--realm-max-renewable-life=1month \
|
|
${R6} || exit 1
|
|
|
|
${kadmin} \
|
|
init \
|
|
--realm-max-ticket-life=1day \
|
|
--realm-max-renewable-life=1month \
|
|
${R7} || exit 1
|
|
|
|
${kadmin} \
|
|
init \
|
|
--realm-max-ticket-life=1day \
|
|
--realm-max-renewable-life=1month \
|
|
${R8} || exit 1
|
|
|
|
${kadmin} \
|
|
init \
|
|
--realm-max-ticket-life=1day \
|
|
--realm-max-renewable-life=1month \
|
|
${H1} || exit 1
|
|
|
|
${kadmin} \
|
|
init \
|
|
--realm-max-ticket-life=1day \
|
|
--realm-max-renewable-life=1month \
|
|
${H2} || exit 1
|
|
|
|
${kadmin} \
|
|
init \
|
|
--realm-max-ticket-life=1day \
|
|
--realm-max-renewable-life=1month \
|
|
${H3} || exit 1
|
|
|
|
${kadmin} \
|
|
init \
|
|
--realm-max-ticket-life=1day \
|
|
--realm-max-renewable-life=1month \
|
|
${H4} || exit 1
|
|
|
|
${kadmin} \
|
|
init \
|
|
--realm-max-ticket-life=1day \
|
|
--realm-max-renewable-life=1month \
|
|
${RH} || exit 1
|
|
|
|
${kadmin} cpw -r krbtgt/${R}@${R} || exit 1
|
|
${kadmin} cpw -r krbtgt/${R}@${R} || exit 1
|
|
${kadmin} cpw -r krbtgt/${R}@${R} || exit 1
|
|
${kadmin} cpw -r krbtgt/${R}@${R} || exit 1
|
|
|
|
${kadmin} add -p foo --use-defaults foo@${R} || exit 1
|
|
${kadmin} add -p foo --use-defaults foo/host.${r}@${R} || exit 1
|
|
${kadmin} add -p foo --use-defaults foo@${R2} || exit 1
|
|
${kadmin} add -p foo --use-defaults foo@${R3} || exit 1
|
|
${kadmin} add -p foo --use-defaults foo@${R4} || exit 1
|
|
${kadmin5} add -p foo --use-defaults foo@${R5} || exit 1
|
|
${kadmin} add -p foo --use-defaults foo@${R6} || exit 1
|
|
${kadmin} add -p foo --use-defaults foo@${R7} || exit 1
|
|
${kadmin} add -p foo --use-defaults foo@${R8} || exit 1
|
|
${kadmin} add -p foo --use-defaults foo@${H1} || exit 1
|
|
${kadmin} add -p foo --use-defaults foo/host.${h1}@${H1} || exit 1
|
|
${kadmin} add -p foo --use-defaults foo@${H2} || exit 1
|
|
${kadmin} add -p foo --use-defaults foo/host.${h2}@${H2} || exit 1
|
|
${kadmin} add -p foo --use-defaults foo@${H3} || exit 1
|
|
${kadmin} add -p foo --use-defaults foo/host.${h3}@${H3} || exit 1
|
|
${kadmin} add -p foo --use-defaults foo@${H4} || exit 1
|
|
${kadmin} add -p foo --use-defaults foo/host.${h4}@${H4} || exit 1
|
|
${kadmin} add -p bar --use-defaults bar@${R} || exit 1
|
|
${kadmin} add -p foo --use-defaults remove@${R} || exit 1
|
|
${kadmin} add -p nop --use-defaults ${server}@${R} || exit 1
|
|
${kadmin} cpw -p bla --keepold ${server}@${R} || exit 1
|
|
${kadmin} cpw -p kaka --keepold ${server}@${R} || exit 1
|
|
${kadmin} add -p kaka --use-defaults ${server}-des3@${R} || exit 1
|
|
${kadmin} add -p kaka --use-defaults kt-des3@${R} || exit 1
|
|
${kadmin} add -p kaka --use-defaults foo/des3-only@${R} || exit 1
|
|
${kadmin} add -p kaka --use-defaults bar/des3-only@${R} || exit 1
|
|
${kadmin} add -p kaka --use-defaults foo/aes-only@${R} || exit 1
|
|
|
|
${kadmin} add -p sens --use-defaults --attributes=disallow-forwardable sensitive@${R} || exit 1
|
|
${kadmin} add -p foo --use-defaults ${ps} || exit 1
|
|
${kadmin} modify --attributes=+trusted-for-delegation ${ps} || exit 1
|
|
${kadmin} modify --constrained-delegation=${server} ${ps} || exit 1
|
|
${kadmin} ext -k ${keytab} ${server}@${R} || exit 1
|
|
${kadmin} ext -k ${keytab} ${ps} || exit 1
|
|
|
|
# Note: rps is not trusted-for-delegation
|
|
${kadmin} add -p foo --use-defaults ${rps} || exit 1
|
|
${kadmin} modify --constrained-delegation=${server} ${rps} || exit 1
|
|
${kadmin} ext -k ${keytab} ${rps} || exit 1
|
|
|
|
${kadmin} add -p kaka --use-defaults ${server2}@${R2} || exit 1
|
|
${kadmin} ext -k ${keytab} ${server2}@${R2} || exit 1
|
|
${kadmin} add -p foo --use-defaults WELLKNOWN/REFERRALS/TARGET@${R5} || exit 1
|
|
${kadmin} add_alias WELLKNOWN/REFERRALS/TARGET@${R5} ${server3}@${R} || exit 1
|
|
${kadmin5} add -p kaka --use-defaults ${server3}@${R5} || exit 1
|
|
${kadmin5} ext -k ${keytab} ${server3}@${R5} || exit 1
|
|
${kadmin} add_alias WELLKNOWN/REFERRALS/TARGET@${R5} ${namespace}@${R} || exit 1
|
|
${kadmin5} add -p kaka --use-defaults ${server5}@${R5} || exit 1
|
|
${kadmin5} ext -k ${keytab} ${server5}@${R5} || exit 1
|
|
${kadmin} add -p kaka --use-defaults ${serverip}@${R} || exit 1
|
|
${kadmin} ext -k ${keytab} ${serverip}@${R} || exit 1
|
|
${kadmin} add -p kaka --use-defaults ${serveripname}@${R} || exit 1
|
|
${kadmin} ext -k ${keytab} ${serveripname}@${R} || exit 1
|
|
${kadmin} modify --alias=${serveripname2}@${R} ${serveripname}@${R}
|
|
${kadmin} add -p foo --use-defaults remove2@${R2} || exit 1
|
|
|
|
${kadmin} add -p nopac --use-defaults ${server4}@${R2} || exit 1
|
|
${kadmin} modify --attributes=+no-auth-data-reqd ${server4}@${R2} || exit 1
|
|
${kadmin} ext -k ${keytab} ${server4}@${R2} || exit 1
|
|
|
|
${kadmin} add -p kaka --use-defaults ${alias1}@${R} || exit 1
|
|
${kadmin} ext -k ${keytab} ${alias1}@${R} || exit 1
|
|
${kadmin} modify --alias=${alias2}@${R} ${alias1}@${R}
|
|
|
|
${kadmin} add -p cross1 --use-defaults krbtgt/${R2}@${R} || exit 1
|
|
${kadmin} add -p cross2 --use-defaults krbtgt/${R}@${R2} || exit 1
|
|
|
|
${kadmin} add -p cross1 --use-defaults krbtgt/${R3}@${R2} || exit 1
|
|
${kadmin} add -p cross2 --use-defaults krbtgt/${R2}@${R3} || exit 1
|
|
|
|
${kadmin} add -p cross1 --use-defaults krbtgt/${R4}@${R2} || exit 1
|
|
${kadmin} add -p cross2 --use-defaults krbtgt/${R2}@${R4} || exit 1
|
|
|
|
${kadmin} add -p cross1 --use-defaults krbtgt/${R4}@${R3} || exit 1
|
|
${kadmin} add -p cross2 --use-defaults krbtgt/${R3}@${R4} || exit 1
|
|
|
|
${kadmin} add -p cross1 --use-defaults krbtgt/${R5}@${R} || exit 1
|
|
${kadmin5} add -p cross2 --use-defaults krbtgt/${R}@${R5} || exit 1
|
|
|
|
${kadmin5} add -p cross1 --use-defaults krbtgt/${R6}@${R5} || exit 1
|
|
${kadmin} add -p cross2 --use-defaults krbtgt/${R5}@${R6} || exit 1
|
|
|
|
${kadmin} add -p cross1 --use-defaults krbtgt/${R7}@${R6} || exit 1
|
|
${kadmin} add -p cross2 --use-defaults krbtgt/${R6}@${R7} || exit 1
|
|
|
|
${kadmin} add -p cross1 --use-defaults krbtgt/${R8}@${R6} || exit 1
|
|
${kadmin} add -p cross2 --use-defaults krbtgt/${R6}@${R8} || exit 1
|
|
|
|
${kadmin} add -p cross1 --use-defaults krbtgt/${H1}@${R} || exit 1
|
|
${kadmin} add -p cross2 --use-defaults krbtgt/${R}@${H1} || exit 1
|
|
|
|
${kadmin} add -p cross1 --use-defaults krbtgt/${H2}@${R} || exit 1
|
|
${kadmin} add -p cross2 --use-defaults krbtgt/${R}@${H2} || exit 1
|
|
|
|
${kadmin} add -p cross1 --use-defaults krbtgt/${H3}@${H2} || exit 1
|
|
${kadmin} add -p cross2 --use-defaults krbtgt/${H2}@${H3} || exit 1
|
|
|
|
${kadmin} add -p cross1 --use-defaults krbtgt/${H3}@${H4} || exit 1
|
|
${kadmin} add -p cross2 --use-defaults krbtgt/${H4}@${H3} || exit 1
|
|
|
|
${kadmin} add -p foo --use-defaults pw-expire@${R} || exit 1
|
|
${kadmin} modify --pw-expiration-time=+1day pw-expire@${R} || exit 1
|
|
|
|
${kadmin} add -p foo --use-defaults pw-expired@${R} || exit 1
|
|
${kadmin} modify --pw-expiration-time=2012-06-12 pw-expired@${R} || exit 1
|
|
|
|
${kadmin} add -p foo --use-defaults account-expired@${R} || exit 1
|
|
${kadmin} modify --expiration-time=2012-06-12 account-expired@${R} || exit 1
|
|
|
|
${kadmin} add -p foo --use-defaults foo@${RH} || exit 1
|
|
|
|
echo "Check parser"
|
|
${kadmin} add -p foo --use-defaults -- -p || exit 1
|
|
${kadmin} delete -- -p || exit 1
|
|
|
|
echo "Doing database check"
|
|
${kadmin} check ${R} || exit 1
|
|
${kadmin} check ${R2} || exit 1
|
|
${kadmin} check ${R3} || exit 1
|
|
${kadmin} check ${R4} || exit 1
|
|
${kadmin5} check ${R5} || exit 1
|
|
${kadmin} check ${R6} || exit 1
|
|
${kadmin} check ${R7} || exit 1
|
|
${kadmin} check ${R8} || exit 1
|
|
${kadmin} check ${H1} || exit 1
|
|
${kadmin} check ${H2} || exit 1
|
|
${kadmin} check ${H3} || exit 1
|
|
${kadmin} check ${H4} || exit 1
|
|
|
|
echo "Extracting enctypes"
|
|
${ktutil} -k ${keytab} list > tempfile || exit 1
|
|
${EGREP} -v '^FILE:' tempfile | ${EGREP} -v '^Vno' | ${EGREP} -v '^$' | \
|
|
${EGREP} -v "$server" | # we did cpw for this one
|
|
awk '$1 !~ /1/ { exit 1 }' || exit 1
|
|
${EGREP} -v '^FILE:' tempfile | ${EGREP} -v '^Vno' | ${EGREP} -v '^$' | \
|
|
${EGREP} "$server" | head -1 |
|
|
awk '$1 !~ /3/ { exit 1 }' || exit 1
|
|
|
|
|
|
${kadmin} get foo@${R} > tempfile || exit 1
|
|
enctypes=`grep Keytypes: tempfile | sed 's/(pw-salt)//g' | sed 's/,//g' | sed 's/Keytypes://' | sed 's/\[[0-9]*\]//g'`
|
|
|
|
enctype_sans_aes=`echo $enctypes | sed 's/aes[^ ]*//g'`
|
|
enctype_sans_des3=`echo $enctypes | sed 's/des3-cbc-sha1//g'`
|
|
|
|
echo "deleting all but des enctypes on kt-des3 in keytab"
|
|
${kadmin} ext -k ${keytab} kt-des3@${R} || exit 1
|
|
for a in ${enctype_sans_des3} ; do
|
|
${ktutil} -k ${keytab} remove -p kt-des3@${R} -e $a
|
|
done
|
|
|
|
echo "checking globbing keys rules"
|
|
${kadmin} get foo/des3-only@${R} > tempfile || exit 1
|
|
enctypes=`grep Keytypes: tempfile | sed 's/(pw-salt)//g' | sed 's/,//g' | sed 's/Keytypes://' | sed 's/\[[0-9]*\]//g' | sed 's/ //g'`
|
|
if [ X"$enctypes" != Xdes3-cbc-sha1 ] ; then
|
|
echo "des3 only is not only des3: $enctypes"
|
|
exit 1
|
|
fi
|
|
|
|
${kadmin} get foo/aes-only@${R} > tempfile || exit 1
|
|
enctypes=`grep Keytypes: tempfile | sed 's/(pw-salt)//g' | sed 's/,//g' | sed 's/Keytypes://' | sed 's/\[[0-9]*\]//g' | sed 's/ //g'`
|
|
if [ X"$enctypes" != Xaes256-cts-hmac-sha1-96 ] ; then
|
|
echo "aes only is not only aes: $enctypes"
|
|
exit 1
|
|
fi
|
|
|
|
|
|
echo foo > ${objdir}/foopassword
|
|
echo notfoo > ${objdir}/notfoopassword
|
|
|
|
echo Starting kdc ; > messages.log
|
|
env MallocStackLogging=1 MallocStackLoggingNoCompact=1 MallocErrorAbort=1 MallocLogFile=${objdir}/malloc-log \
|
|
${kdc} --detach --testing ||
|
|
{ echo "kdc failed to start"; cat messages.log; exit 1; }
|
|
kdcpid=`getpid kdc`
|
|
|
|
echo Starting kpasswdd; > messages.log
|
|
env ${HEIM_MALLOC_DEBUG} ${kpasswdd} --detach ||
|
|
{ echo "kpasswdd failed to start"; exit 1; }
|
|
kpasswddpid=`getpid kpasswdd`
|
|
|
|
|
|
trap "kill -9 ${kdcpid} ${kpasswddpid}; echo signal killing kdc kpasswdd; exit 1;" EXIT
|
|
|
|
ec=0
|
|
|
|
echo "Getting client initial tickets with wrong password"; > messages.log
|
|
${kadmin} modify --attributes=+disallow-client ${server} || exit 1
|
|
${kinit} --password-file=${objdir}/notfoopassword \
|
|
foo@${R} 2>kinit-log.tmp && \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
grep 'Password incorrect' kinit-log.tmp > /dev/null || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
echo "Getting client initial tickets"; > messages.log
|
|
${kinit} --password-file=${objdir}/foopassword foo@$R || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
echo "Doing krbtgt key rollover"; > messages.log
|
|
${kadmin} cpw -r --keepold krbtgt/${R}@${R} || exit 1
|
|
echo "Getting tickets"; > messages.log
|
|
${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
|
|
echo "Listing tickets"; > messages.log
|
|
${klist} > /dev/null || { ec=1 ; eval "${testfailed}"; }
|
|
${test_ap_req} ${server}@${R} ${keytab} ${cache} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy}
|
|
|
|
echo "Getting client initial tickets (http transport)"; > messages.log
|
|
${kinit} --password-file=${objdir}/foopassword foo@${RH} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy}
|
|
|
|
echo "Testing capaths logic"
|
|
${kinit} --password-file=${objdir}/foopassword \
|
|
-e ${aesenctype} -e ${aesenctype} \
|
|
foo@$R || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
|
|
echo "Getting x-realm tickets with capaths for $R -> $R2"
|
|
${kgetcred} foo@${R2} || { ec=1 ; eval "${testfailed}"; }
|
|
echo "Getting x-realm tickets with capaths for $R -> $R3"
|
|
${kgetcred} foo@${R3} || { ec=1 ; eval "${testfailed}"; }
|
|
echo "Getting x-realm tickets with capaths for $R -> $R4"
|
|
${kgetcred} foo@${R4} || { ec=1 ; eval "${testfailed}"; }
|
|
echo "Getting x-realm tickets with capaths for $R -> $R5"
|
|
${kgetcred} foo@${R5} || { ec=1 ; eval "${testfailed}"; }
|
|
echo "Getting x-realm tickets with capaths for $R -> $R6"
|
|
${kgetcred} foo@${R6} || { ec=1 ; eval "${testfailed}"; }
|
|
echo "Getting x-realm tickets with capaths for $R -> $R7"
|
|
${kgetcred} foo@${R7} || { ec=1 ; eval "${testfailed}"; }
|
|
echo "Should not get x-realm tickets with capaths for $R -> $R8"
|
|
${kgetcred} foo@${R8} && { ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy}
|
|
|
|
echo "Testing capaths logic (reverse order)"
|
|
${kinit} --password-file=${objdir}/foopassword \
|
|
-e ${aesenctype} -e ${aesenctype} \
|
|
foo@$R || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
|
|
echo "Getting x-realm tickets with capaths for $R -> $R4"
|
|
${kgetcred} foo@${R4} || { ec=1 ; eval "${testfailed}"; }
|
|
echo "Getting x-realm tickets with capaths for $R -> $R3"
|
|
${kgetcred} foo@${R3} || { ec=1 ; eval "${testfailed}"; }
|
|
echo "Getting x-realm tickets with capaths for $R -> $R2"
|
|
${kgetcred} foo@${R2} || { ec=1 ; eval "${testfailed}"; }
|
|
echo "Getting x-realm tickets with capaths for $R -> $R7"
|
|
${kgetcred} foo@${R7} || { ec=1 ; eval "${testfailed}"; }
|
|
echo "Getting x-realm tickets with capaths for $R -> $R6"
|
|
${kgetcred} foo@${R6} || { ec=1 ; eval "${testfailed}"; }
|
|
echo "Getting x-realm tickets with capaths for $R -> $R5"
|
|
${kgetcred} foo@${R5} || { ec=1 ; eval "${testfailed}"; }
|
|
echo "Testing HDB referral entry"
|
|
${kgetcred} --canonicalize ${server3}@${R} || { ec=1 ; eval "${testfailed}"; }
|
|
echo "Testing HDB namespace referral entry"
|
|
${kgetcred} --canonicalize ${server5}@${R} || { ec=1 ; eval "${testfailed}"; }
|
|
${klist}
|
|
${kdestroy}
|
|
|
|
echo "Testing hierarchical referral logic"
|
|
${kinit} --password-file=${objdir}/foopassword \
|
|
-e ${aesenctype} -e ${aesenctype} \
|
|
foo@${H3} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
|
|
echo "Getting x-realm tickets with HDB referral alias for $R1 -> $R3"
|
|
${kgetcred} --hostbased --canonicalize foo host.${h1} || { ec=1 ; eval "${testfailed}"; }
|
|
echo "Getting x-realm tickets with hierarchical referrals for $H3 -> $H1"
|
|
${kgetcred} --hostbased --canonicalize foo host.${h1} || { ec=1 ; eval "${testfailed}"; }
|
|
fgrep "cross-realm ${H3} -> ${H1} via [${H2}, ${R}]" messages.log > /dev/null || { ec=1 ; eval "${testfailed}"; }
|
|
echo "Getting x-realm tickets with hierarchical referrals for $H3 -> $R"
|
|
${kgetcred} --hostbased --canonicalize foo host.${r} || { ec=1 ; eval "${testfailed}"; }
|
|
fgrep "cross-realm ${H3} -> ${R} via [${H2}]" messages.log > /dev/null || { ec=1 ; eval "${testfailed}"; }
|
|
echo "Getting x-realm tickets with hierarchical referrals for $H3 -> $H2"
|
|
${kgetcred} --hostbased --canonicalize foo host.${h2} || { ec=1 ; eval "${testfailed}"; }
|
|
fgrep "cross-realm ${H3} -> ${H2}" messages.log > /dev/null || { ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy}
|
|
|
|
echo "Testing multi-hop [capaths] referral logic"
|
|
${kinit} --password-file=${objdir}/foopassword \
|
|
-e ${aesenctype} -e ${aesenctype} \
|
|
foo@${H4} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
|
|
echo "Getting x-realm tickets with [capaths] referrals for $H4 -> $H1"
|
|
${kgetcred} --hostbased --canonicalize foo/host.${h1}@${H4} || { ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy}
|
|
|
|
echo "Testing forwardable/renewable flag copying in TGS-REQ"
|
|
${kinit} -f --renewable -r 5d --password-file=${objdir}/foopassword foo@$R || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
|
|
${klist} -f | grep ${server} | grep FRA > /dev/null || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
|
|
echo "Testing strip of forwardable when the server is disallowed in TGS-REQ"
|
|
${kgetcred} sensitive@${R} || { ec=1 ; eval "${testfailed}"; }
|
|
${klist} -f | grep sensitive | grep FRA > /dev/null && \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
|
|
echo "Specific enctype"; > messages.log
|
|
${kinit} --password-file=${objdir}/foopassword \
|
|
-e ${aesenctype} -e ${aesenctype} \
|
|
foo@$R || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
|
|
for a in $enctypes; do
|
|
echo "Getting client initial tickets ($a)"; > messages.log
|
|
${kinit} --enctype=$a --password-file=${objdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; }
|
|
echo "Getting tickets"; > messages.log
|
|
${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
|
|
${test_ap_req} ${server}@${R} ${keytab} ${cache} || { ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy}
|
|
done
|
|
|
|
|
|
echo "Getting client initial tickets"; > messages.log
|
|
${kinit} --password-file=${objdir}/foopassword foo@$R || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
for a in $enctypes; do
|
|
echo "Getting tickets ($a)"; > messages.log
|
|
${kgetcred} -e $a ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
|
|
${test_ap_req} ${server}@${R} ${keytab} ${cache} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy} --credential=${server}@${R}
|
|
done
|
|
${kdestroy}
|
|
|
|
echo "Getting client initial tickets without PAC"; > messages.log
|
|
${kinit} --no-request-pac --password-file=${objdir}/foopassword foo@$R || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
for a in $enctypes; do
|
|
echo "Getting tickets ($a)"; > messages.log
|
|
${kgetcred} -e $a ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
|
|
${test_ap_req} ${server}@${R} ${keytab} ${cache} && \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${test_ap_req} --no-verify-pac ${server}@${R} ${keytab} ${cache} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy} --credential=${server}@${R}
|
|
done
|
|
${kdestroy}
|
|
|
|
echo "Getting client initial tickets with PAC"; > messages.log
|
|
${kinit} --request-pac --password-file=${objdir}/foopassword foo@$R || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
for a in $enctypes; do
|
|
echo "Getting tickets for PAC-less service principal ($a)"; > messages.log
|
|
${kgetcred} -e $a ${server4}@${R2} || { ec=1 ; eval "${testfailed}"; }
|
|
${test_ap_req} --verify-pac ${server4}@${R2} ${keytab} ${cache} && \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${test_ap_req} --no-verify-pac ${server4}@${R2} ${keytab} ${cache} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy} --credential=${server4}@${R2}
|
|
done
|
|
${kdestroy}
|
|
|
|
echo "Getting client authenticated anonymous initial tickets"; > messages.log
|
|
${kinit} -n --password-file=${objdir}/foopassword foo@$R || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
for a in $enctypes; do
|
|
echo "Getting tickets ($a)"; > messages.log
|
|
${kgetcred} -e $a ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
|
|
${test_ap_req} --no-verify-pac ${server}@${R} ${keytab} ${cache} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy} --credential=${server}@${R}
|
|
done
|
|
${kdestroy}
|
|
|
|
echo "Getting client anonymous service tickets"; > messages.log
|
|
${kinit} --password-file=${objdir}/foopassword foo@$R || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
for a in $enctypes; do
|
|
echo "Getting tickets ($a)"; > messages.log
|
|
${kgetcred} -n -e $a ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
|
|
${test_ap_req} ${server}@${R} ${keytab} ${cache} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy} --credential=${server}@${R}
|
|
done
|
|
${kdestroy}
|
|
|
|
echo "Getting client initial tickets for cross realm case"; > messages.log
|
|
${kinit} --password-file=${objdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; }
|
|
for a in $enctypes; do
|
|
echo "Getting cross realm tickets ($a)"; > messages.log
|
|
${kgetcred} -e $a ${server2}@${R2} || { ec=1 ; eval "${testfailed}"; }
|
|
echo " checking we we got back right ticket"
|
|
${klist} | grep ${server2}@ > /dev/null || { ec=1 ; eval "${testfailed}"; }
|
|
echo " checking if ticket is useful"
|
|
${test_ap_req} ${server2}@${R2} ${keytab} ${cache} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy} --credential=${server2}@${R2}
|
|
done
|
|
${kdestroy}
|
|
|
|
echo "Trying x-realm TGT with kvno 0 case";
|
|
${kinit} --password-file=${objdir}/foopassword foo@$R ||
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${test_set_kvno0} || { ec=1 ; eval "${testfailed}"; }
|
|
echo "Getting cross realm tickets"; > messages.log
|
|
${kgetcred} krbtgt/${R2}@${R} || { ec=1 ; eval "${testfailed}"; }
|
|
${test_set_kvno0} || { ec=1 ; eval "${testfailed}"; }
|
|
echo "Getting service ticket"; > messages.log
|
|
${kgetcred} ${server2}@${R2} || { ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy}
|
|
|
|
echo "Trying x-realm TGT with kvno 0 case with key rollover";
|
|
${kinit} --password-file=${objdir}/foopassword foo@$R ||
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${test_set_kvno0} || { ec=1 ; eval "${testfailed}"; }
|
|
echo "Getting cross realm tickets"; > messages.log
|
|
${kgetcred} krbtgt/${R2}@${R} || { ec=1 ; eval "${testfailed}"; }
|
|
echo "Rolling over cross realm keys"; > messages.log
|
|
${kadmin} cpw -r --keepold krbtgt/${R}@${R} || { ec=1 ; eval "${testfailed}"; }
|
|
${kadmin} cpw -r --keepold krbtgt/${R2}@${R} || { ec=1 ; eval "${testfailed}"; }
|
|
${kadmin} cpw -r --keepold krbtgt/${R}@${R2} || { ec=1 ; eval "${testfailed}"; }
|
|
${test_set_kvno0} || { ec=1 ; eval "${testfailed}"; }
|
|
echo "Getting service ticket"; > messages.log
|
|
echo "Start tracing kdc, then hit return"
|
|
${kgetcred} ${server2}@${R2} || { ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy}
|
|
|
|
echo "Trying x-realm TGT with no kvno case";
|
|
${kinit} --password-file=${objdir}/foopassword foo@$R ||
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${test_set_kvno0} -n || { ec=1 ; eval "${testfailed}"; }
|
|
echo "Getting cross realm tickets"; > messages.log
|
|
${kgetcred} krbtgt/${R2}@${R} || { ec=1 ; eval "${testfailed}"; }
|
|
${test_set_kvno0} -n || { ec=1 ; eval "${testfailed}"; }
|
|
echo "Getting service ticket"; > messages.log
|
|
${kgetcred} ${server2}@${R2} || { ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy}
|
|
|
|
echo "Trying x-realm TGT with no kvno case with key rollover";
|
|
${kinit} --password-file=${objdir}/foopassword foo@$R ||
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${test_set_kvno0} -n || { ec=1 ; eval "${testfailed}"; }
|
|
echo "Getting cross realm tickets"; > messages.log
|
|
${kgetcred} krbtgt/${R2}@${R} || { ec=1 ; eval "${testfailed}"; }
|
|
echo "Rolling over cross realm keys"; > messages.log
|
|
${kadmin} cpw -r --keepold krbtgt/${R}@${R} || { ec=1 ; eval "${testfailed}"; }
|
|
${kadmin} cpw -r --keepold krbtgt/${R2}@${R} || { ec=1 ; eval "${testfailed}"; }
|
|
${kadmin} cpw -r --keepold krbtgt/${R}@${R2} || { ec=1 ; eval "${testfailed}"; }
|
|
${test_set_kvno0} -n || { ec=1 ; eval "${testfailed}"; }
|
|
echo "Getting service ticket"; > messages.log
|
|
echo "Start tracing kdc, then hit return"
|
|
${kgetcred} ${server2}@${R2} || { ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy}
|
|
|
|
echo "try all permutations"; > messages.log
|
|
for a in $enctypes; do
|
|
echo "Getting client initial tickets ($a)"; > messages.log
|
|
${kinit} --enctype=$a --password-file=${objdir}/foopassword foo@$R || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
for b in $enctypes; do
|
|
echo "Getting tickets ($a -> $b)"; > messages.log
|
|
${kgetcred} -e $b ${server}@${R} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${test_ap_req} ${server}@${R} ${keytab} ${cache} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy} --credential=${server}@${R}
|
|
done
|
|
${kdestroy}
|
|
done
|
|
|
|
echo "Getting client initial tickets ip based name"; > messages.log
|
|
${kinit} --password-file=${objdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; }
|
|
echo "Getting ip based name tickets"; > messages.log
|
|
${kgetcred} ${serverip}@${R} || { ec=1 ; eval "${testfailed}"; }
|
|
echo " checking we we got back right ticket"
|
|
${klist} | grep ${serverip}@ > /dev/null || { ec=1 ; eval "${testfailed}"; }
|
|
echo " checking if ticket is useful"
|
|
${test_ap_req} ${serverip}@${R} ${keytab} ${cache} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy}
|
|
|
|
echo "Getting client initial tickets ip based name (alias)"; > messages.log
|
|
${kinit} --password-file=${objdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; }
|
|
for a in ${serveripname} ${serveripname2} ; do
|
|
echo "Getting ip based name tickets (alias) $a"; > messages.log
|
|
${kgetcred} ${a}@${R} || { ec=1 ; eval "${testfailed}"; }
|
|
echo " checking we we got back right ticket"
|
|
${klist} | grep ${a}@ > /dev/null || { ec=1 ; eval "${testfailed}"; }
|
|
echo " checking if ticket is useful"
|
|
${test_ap_req} --server-any ${a}@${R} ${keytab} ${cache} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
done
|
|
${kdestroy}
|
|
|
|
echo "Getting server initial tickets"; > messages.log
|
|
${kinit} --keytab=${keytab} ${server}@$R && { ec=1 ; eval "${testfailed}"; }
|
|
${kadmin} modify --attributes=-disallow-client ${server} || exit 1
|
|
${kinit} --keytab=${keytab} ${server}@$R || { ec=1 ; eval "${testfailed}"; }
|
|
echo "Listing tickets"; > messages.log
|
|
${klist} | grep "Principal: ${server}" > /dev/null || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy}
|
|
|
|
echo "Getting key for key that are a subset in keytab compared to kdb"
|
|
${kinit} --keytab=${keytab} kt-des3@${R}
|
|
${klist} | grep "Principal: kt-des3" > /dev/null || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy}
|
|
|
|
echo "initial tickets for deleted user test case"; > messages.log
|
|
${kinit} --password-file=${objdir}/foopassword remove@$R || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kadmin} delete remove@${R} || { ec=1 ; eval "${testfailed}"; }
|
|
echo "try getting ticket with deleted user"; > messages.log
|
|
${kgetcred} ${server}@${R} 2> /dev/null && { ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy}
|
|
|
|
echo "cross realm case (deleted user)"; > messages.log
|
|
${kinit} --password-file=${objdir}/foopassword remove2@$R2 || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kgetcred} krbtgt/${R}@${R2} 2> /dev/null || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kadmin} delete remove2@${R2} || exit 1
|
|
${kgetcred} ${server}@${R} 2> /dev/null || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy}
|
|
|
|
echo "rename user"; > messages.log
|
|
${kadmin} add -p foo --use-defaults rename@${R} || exit 1
|
|
${kinit} --password-file=${objdir}/foopassword rename@${R} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kadmin} rename rename@${R} rename2@${R} || exit 1
|
|
${kinit} --password-file=${objdir}/foopassword rename2@${R} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy}
|
|
${kadmin} delete rename2@${R} || exit 1
|
|
|
|
echo "rename user to another realm"; > messages.log
|
|
${kadmin} add -p foo --use-defaults rename@${R} || exit 1
|
|
${kinit} --password-file=${objdir}/foopassword rename@${R} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kadmin} rename rename@${R} rename@${R2} || exit 1
|
|
${kinit} --password-file=${objdir}/foopassword rename@${R2} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy}
|
|
${kadmin} delete rename@${R2} || exit 1
|
|
|
|
echo deleting all but aes enctypes on krbtgt
|
|
${kadmin} del_enctype krbtgt/${R}@${R} ${enctype_sans_aes} || exit 1
|
|
|
|
echo deleting all but des enctypes on server-des3
|
|
${kadmin} del_enctype ${server}-des3@${R} ${enctype_sans_des3} || exit 1
|
|
${kadmin} ext -k ${keytab} ${server}-des3@${R} || exit 1
|
|
|
|
echo "try all permutations (only aes)"; > messages.log
|
|
for a in $enctypes; do
|
|
echo "Getting client initial tickets ($a)"; > messages.log
|
|
${kinit} --enctype=$a --password-file=${objdir}/foopassword foo@${R} ||\
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
for b in $enctypes; do
|
|
echo "Getting tickets ($a -> $b)"; > messages.log
|
|
${kgetcred} -e $b ${server}@${R} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${test_ap_req} ${server}@${R} ${keytab} ${cache} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
|
|
echo "Getting tickets ($a -> $b) (server des3 only)"; > messages.log
|
|
${kgetcred} ${server}-des3@${R} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${test_ap_req} ${server}-des3@${R} ${keytab} ${cache} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
|
|
${kdestroy} --credential=${server}@${R}
|
|
${kdestroy} --credential=${server}-des3@${R}
|
|
done
|
|
${kdestroy}
|
|
done
|
|
|
|
echo deleting all enctypes on krbtgt
|
|
${kadmin} del_enctype krbtgt/${R}@${R} aes256-cts-hmac-sha1-96 || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
echo "try initial ticket w/o and keys on krbtgt"
|
|
${kinit} --password-file=${objdir}/foopassword foo@${R} 2>/dev/null && \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
echo "adding random aes key"
|
|
${kadmin} add_enctype -r krbtgt/${R}@${R} aes256-cts-hmac-sha1-96 || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
echo "try initial ticket with random aes key on krbtgt"
|
|
${kinit} --password-file=${objdir}/foopassword foo@${R} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy}
|
|
|
|
rsa=yes
|
|
ecdsa=yes
|
|
pkinit=no
|
|
if ${hxtool} info | grep 'rsa: hx509 null RSA' > /dev/null ; then
|
|
rsa=no
|
|
fi
|
|
if ${hxtool} info | grep 'rand: not available' > /dev/null ; then
|
|
rsa=no
|
|
fi
|
|
if ${kinit} --help 2>&1 | grep "CA certificates" > /dev/null; then
|
|
pkinit=yes
|
|
fi
|
|
|
|
if ${hxtool} info | grep 'ecdsa: hcrypto null' > /dev/null ; then
|
|
ecdsa=no
|
|
fi
|
|
|
|
|
|
# If we support pkinit and have RSA, lets try that
|
|
if test "$pkinit" = yes -a "$rsa" = yes ; then
|
|
|
|
echo "try anonymous pkinit"; > messages.log
|
|
${kinit} --renewable -n @${R} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
|
|
${kinit} --renew || { ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy}
|
|
|
|
for type in "" "--pk-use-enckey"; do
|
|
echo "Trying pk-init (principal in certificate) $type"; > messages.log
|
|
${kinit} $type -C FILE:${hx509_data}/pkinit.crt,${hx509_data}/pkinit.key bar@${R} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy}
|
|
|
|
echo "Trying pk-init (principal in pki-mapping) $type"; > messages.log
|
|
${kinit} $type -C FILE:${hx509_data}/pkinit.crt,${hx509_data}/pkinit.key foo@${R} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy}
|
|
|
|
echo "Trying pk-init (password protected key) $type"; > messages.log
|
|
${kinit} $type -C FILE:${hx509_data}/pkinit.crt,${hx509_data}/pkinit-pw.key --password-file=${objdir}/foopassword foo@${R} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kgetcred} ${server}@${R} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy}
|
|
|
|
echo "Trying pk-init (proxy cert) $type"; > messages.log
|
|
${kinit} $type -C FILE:${hx509_data}/pkinit-proxy-chain.crt,${hx509_data}/pkinit-proxy.key foo@${R} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy}
|
|
|
|
done
|
|
|
|
if test "$ecdsa" = yes > /dev/null ; then
|
|
echo "Trying pk-init (ec certificate)"
|
|
> messages.log
|
|
${kinit} -C FILE:${hx509_data}/pkinit-ec.crt,${hx509_data}/pkinit-ec.key bar@${R} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy}
|
|
grep 'PKINIT using ecdh' messages.log > /dev/null || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
fi
|
|
|
|
else
|
|
echo "no pkinit (pkinit: $pkinit, rsa: $rsa)"; > messages.log
|
|
fi
|
|
|
|
echo "test impersonate using rc4 based tgt"; > messages.log
|
|
${kinit} -e arcfour-hmac-md5 --forwardable --password-file=${objdir}/foopassword ${ps} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kgetcred_imp} --impersonate=bar@${R} ${ps} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${test_ap_req} ${ps} ${keytab} ${ocache} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
|
|
echo "tickets for impersonate test case"; > messages.log
|
|
${kinit} --forwardable --password-file=${objdir}/foopassword ${ps} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kgetcred_imp} --impersonate=bar@${R} ${ps} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${test_ap_req} ${ps} ${keytab} ${ocache} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
echo " negative check"
|
|
${kgetcred_imp} --impersonate=bar@${R} foo@${R} 2>/dev/null && \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
|
|
echo "test impersonate unknown client"; > messages.log
|
|
${kgetcred_imp} --forward --impersonate=unknown@${R} ${ps} && \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
|
|
echo "test impersonate account-expired client"; > messages.log
|
|
${kgetcred_imp} --forward --impersonate=account-expired@${R} ${ps} && \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
|
|
echo "test impersonate pw-expired client"; > messages.log
|
|
${kgetcred_imp} --forward --impersonate=pw-expired@${R} ${ps} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
|
|
echo "test delegate sensitive client"; > messages.log
|
|
${kgetcred_imp} --forward --impersonate=sensitive@${R} ${ps} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kgetcred} \
|
|
--out-cache=${o2cache} \
|
|
--delegation-credential-cache=${ocache} \
|
|
${server}@${R} && \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
|
|
echo "test constrained delegation (evidence from impersonation)"; > messages.log
|
|
${kgetcred_imp} --forward --impersonate=bar@${R} ${ps} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kgetcred} \
|
|
--out-cache=${o2cache} \
|
|
--delegation-credential-cache=${ocache} \
|
|
${server}@${R} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
echo " try using the credential"
|
|
${test_ap_req} ${server}@${R} ${keytab} ${o2cache} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
echo " negative check"
|
|
${kgetcred} \
|
|
--out-cache=${o2cache} \
|
|
--delegation-credential-cache=${ocache} \
|
|
bar@${R} 2>/dev/null && \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
|
|
echo "test constrained delegation evidence (evidence from TGS)"; > messages.log
|
|
echo bar > ${objdir}/barpassword
|
|
${kinit} --cache=${icache} --forwardable --password-file=${objdir}/barpassword bar@${R} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kgetcred} --cache=${icache} --out-cache=${ocache} ${ps} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
# Bug #816 have a regular ticket in ${cache} for ${server} see that it isn't used
|
|
${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
|
|
${kgetcred} \
|
|
--out-cache=${o2cache} \
|
|
--delegation-credential-cache=${ocache} \
|
|
${server}@${R} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${klist2} | grep "Principal: bar@${R}" || { ec=1 ; eval "${testfailed}"; }
|
|
echo " try using the credential"
|
|
${test_ap_req} ${server}@${R} ${keytab} ${o2cache} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
echo " negative check"
|
|
${kgetcred} \
|
|
--out-cache=${o2cache} \
|
|
--delegation-credential-cache=${ocache} \
|
|
bar@${R} 2>/dev/null && \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
|
|
echo "test constrained delegation with foreign client (evidence from TGS)"; > messages.log
|
|
# We can't test foreign client with evidence from S4U2Self, since Heimdal doesn't support it yet
|
|
rm -f ocache.krb5
|
|
${kinit} --cache=${icache} --forwardable --password-file=${objdir}/foopassword foo@${R2} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kgetcred} --cache=${icache} --out-cache=${ocache} ${ps} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kgetcred} \
|
|
--out-cache=${o2cache} \
|
|
--delegation-credential-cache=${ocache} \
|
|
${server}@${R} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${klist2} | grep "Principal: foo@${R2}" || { ec=1 ; eval "${testfailed}"; }
|
|
echo " try using the credential"
|
|
${test_ap_req} ${server}@${R} ${keytab} ${o2cache} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
|
|
echo "test constrained delegation impersonation (non forward)"; > messages.log
|
|
rm -f ocache.krb5
|
|
${kimpersonate} -s ${ps} -c bar@${R} -t ${aesenctype} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kgetcred} --out-cache=${o2cache} --delegation-credential-cache=${ocache} ${server}@${R} > /dev/null 2>/dev/null && \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
|
|
echo "test constrained delegation evidence (evidence from AS)"; > messages.log
|
|
# This fails because we don't add PAC ticket-signature in AS-REP (as Windows).
|
|
${kinit} --cache=${ocache} --password-file=${objdir}/barpassword \
|
|
--forwardable --server=${ps} bar@${R} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kgetcred} --delegation-credential-cache=${ocache} ${server}@${R} && \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
|
|
echo "test constrained delegation impersonation (missing PAC)"; > messages.log
|
|
rm -f ocache.krb5
|
|
${kimpersonate} -s ${ps} -c bar@${R} -t ${aesenctype} -f forwardable || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kgetcred} --out-cache=${o2cache} --delegation-credential-cache=${ocache} ${server}@${R} > /dev/null 2>/dev/null && \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
|
|
${kdestroy}
|
|
|
|
echo "test constrained delegation NOT trusted-for-delegation (evidence from TGS)"; > messages.log
|
|
|
|
${kinit} --forwardable --password-file=${objdir}/foopassword ${rps} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kinit} --cache=${icache} --forwardable --password-file=${objdir}/barpassword bar@${R} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kgetcred} --cache=${icache} --out-cache=${ocache} ${rps} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kgetcred} \
|
|
--out-cache=${o2cache} \
|
|
--delegation-credential-cache=${ocache} \
|
|
${server}@${R} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${klist2} | grep "Principal: bar@${R}" || { ec=1 ; eval "${testfailed}"; }
|
|
${test_ap_req} ${server}@${R} ${keytab} ${o2cache} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
|
|
echo "test constrained delegation NOT trusted-for-delegation (evidence from impersonate, negative)"; > messages.log
|
|
rm -f ocache.krb5
|
|
${kgetcred_imp} --impersonate=bar@${R} ${rps} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${test_ap_req} ${rps} ${keytab} ${ocache} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kgetcred} \
|
|
--out-cache=${o2cache} \
|
|
--delegation-credential-cache=${ocache} \
|
|
${server}@${R} && \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
|
|
echo "test constrained delegation bronze-bit attack, aka CVE-2020-17049"; > messages.log
|
|
|
|
KRB5CCNAME=${ocache} KRB5_KTNAME=${keytab} ${test_mkforwardable} ${rps} ${icache} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
|
|
${kgetcred} \
|
|
--out-cache=${o2cache} \
|
|
--delegation-credential-cache=${icache} \
|
|
${server}@${R} && \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy}
|
|
|
|
echo "check renewing" > messages.log
|
|
${kinit} --renewable --password-file=${objdir}/foopassword foo@$R || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
echo "kinit -R"
|
|
${kinit} -R || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
echo "check renewing MIT interface" > messages.log
|
|
${kinit} --renewable --password-file=${objdir}/foopassword foo@$R || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
echo "test_renew"
|
|
env KRB5CCNAME=${cache} ${test_renew} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy}
|
|
|
|
echo "checking server aliases"; > messages.log
|
|
${kinit} --password-file=${objdir}/foopassword foo@$R || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
echo "Getting tickets"; > messages.log
|
|
${kgetcred} ${alias1}@${R} || { ec=1 ; eval "${testfailed}"; }
|
|
${kgetcred} ${alias2}@${R} || { ec=1 ; eval "${testfailed}"; }
|
|
echo " verify entry in keytab"
|
|
${test_ap_req} ${alias1}@${R} ${keytab} ${cache} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
echo " verify entry in keytab with any"
|
|
${test_ap_req} --server-any ${alias1}@${R} ${keytab} ${cache} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
echo " verify failure with alias entry"
|
|
${test_ap_req} ${alias2}@${R} ${keytab} ${cache} 2>/dev/null && \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
echo " verify alias entry in keytab with any"
|
|
${test_ap_req} --server-any ${alias2}@${R} ${keytab} ${cache} || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
${kdestroy}
|
|
|
|
echo "testing removal of keytab"
|
|
${ktutil} -k ${keytab} destroy || { ec=1 ; eval "${testfailed}"; }
|
|
test -f ${keytabfile} && { ec=1 ; eval "${testfailed}"; }
|
|
|
|
echo "Checking client pw expire"; > messages.log
|
|
${kinit} --password-file=${objdir}/foopassword \
|
|
pw-expire@${R} 2>kinit-log.tmp|| \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
grep 'Your password will expire' kinit-log.tmp > /dev/null || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
echo " kinit passes"
|
|
${test_gic} --client=pw-expire@${R} --password=foo > kinit-log.tmp 2>/dev/null
|
|
${EGREP} "^e type: 6" kinit-log.tmp > /dev/null || \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
echo " test_gic passes"
|
|
${kdestroy}
|
|
|
|
echo "Checking password expiration" ; > messages.log
|
|
|
|
kinitpty=${objdir}/foopassword.rkpty
|
|
cat > ${kinitpty} <<EOF
|
|
expect Password
|
|
password foo\n
|
|
expect Password has expired
|
|
expect New password
|
|
password Foobar11\n
|
|
expect password
|
|
password Foobar11\n
|
|
expect Success: Password changed
|
|
EOF
|
|
|
|
echo "Checking client pw expire"; > messages.log
|
|
${rkpty} ${kinitpty} ${kinit} pw-expired@${R}|| \
|
|
{ ec=1 ; eval "${testfailed}"; }
|
|
|
|
${kdestroy}
|
|
|
|
|
|
echo "killing kdc (${kdcpid}) kpasswdd (${kpasswddpid})"
|
|
sh ${leaks_kill} kdc $kdcpid || exit 1
|
|
sh ${leaks_kill} kpasswdd $kpasswddpid || exit 1
|
|
|
|
trap "" EXIT
|
|
|
|
exit $ec
|