|
Packit |
fd8b60 |
from k5test import *
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
realm = K5Realm(create_user=False, create_host=False)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Create a principal with no keys.
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'addprinc', '-nokey', 'user'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'getprinc', 'user'], expected_msg='Number of keys: 0')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Change its password and check the resulting kvno.
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'cpw', '-pw', 'password', 'user'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'getprinc', 'user'], expected_msg='vno 1')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Delete all of its keys.
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'purgekeys', '-all', 'user'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'getprinc', 'user'], expected_msg='Number of keys: 0')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Randomize its keys and check the resulting kvno.
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'cpw', '-randkey', 'user'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'getprinc', 'user'], expected_msg='vno 1')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Return true if patype appears to have been received in a hint list
|
|
Packit |
fd8b60 |
# from a KDC error message, based on the trace file fname.
|
|
Packit |
fd8b60 |
def preauth_type_received(trace, patype):
|
|
Packit |
fd8b60 |
found = False
|
|
Packit |
fd8b60 |
for line in trace.splitlines():
|
|
Packit |
fd8b60 |
if 'Processing preauth types:' in line:
|
|
Packit |
fd8b60 |
ind = line.find('types:')
|
|
Packit |
fd8b60 |
patypes = line[ind + 6:].split(', ')
|
|
Packit |
fd8b60 |
if str(patype) in patypes:
|
|
Packit |
fd8b60 |
found = True
|
|
Packit |
fd8b60 |
return found
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Make sure the KDC doesn't offer encrypted timestamp for a principal
|
|
Packit |
fd8b60 |
# with no keys.
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'purgekeys', '-all', 'user'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'modprinc', '+requires_preauth', 'user'])
|
|
Packit |
fd8b60 |
out, trace = realm.run([kinit, 'user'], expected_code=1, return_trace=True)
|
|
Packit |
fd8b60 |
if preauth_type_received(trace, 2):
|
|
Packit |
fd8b60 |
fail('encrypted timestamp')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Make sure it doesn't offer encrypted challenge either.
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'addprinc', '-pw', 'fast', 'armor'])
|
|
Packit |
fd8b60 |
realm.kinit('armor', 'fast')
|
|
Packit |
fd8b60 |
out, trace = realm.run([kinit, '-T', realm.ccache, 'user'], expected_code=1,
|
|
Packit |
fd8b60 |
return_trace=True)
|
|
Packit |
fd8b60 |
if preauth_type_received(trace, 138):
|
|
Packit |
fd8b60 |
fail('encrypted challenge')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
success('Key data tests')
|