|
Packit |
fd8b60 |
from k5test import *
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
rollover_krb5_conf = {'libdefaults': {'allow_weak_crypto': 'true'}}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
realm = K5Realm(krbtgt_keysalt='aes128-cts-hmac-sha256-128:normal',
|
|
Packit |
fd8b60 |
krb5_conf=rollover_krb5_conf)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
princ1 = 'host/test1@%s' % (realm.realm,)
|
|
Packit |
fd8b60 |
princ2 = 'host/test2@%s' % (realm.realm,)
|
|
Packit |
fd8b60 |
realm.addprinc(princ1)
|
|
Packit |
fd8b60 |
realm.addprinc(princ2)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
realm.run([kvno, realm.host_princ])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Change key for TGS, keeping old key.
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'cpw', '-randkey', '-e', 'aes256-cts', '-keepold',
|
|
Packit |
fd8b60 |
realm.krbtgt_princ])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Ensure that kvno still works with an old TGT.
|
|
Packit |
fd8b60 |
realm.run([kvno, princ1])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'purgekeys', realm.krbtgt_princ])
|
|
Packit |
fd8b60 |
# Make sure an old TGT fails after purging old TGS key.
|
|
Packit |
fd8b60 |
realm.run([kvno, princ2], expected_code=1)
|
|
Packit |
fd8b60 |
et = "aes128-cts-hmac-sha256-128"
|
|
Packit |
fd8b60 |
msg = 'krbtgt/%s@%s\n\tEtype (skey, tkt): %s, %s' % \
|
|
Packit |
fd8b60 |
(realm.realm, realm.realm, et, et)
|
|
Packit |
fd8b60 |
realm.run([klist, '-e'], expected_msg=msg)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Check that new key actually works.
|
|
Packit |
fd8b60 |
realm.kinit(realm.user_princ, password('user'))
|
|
Packit |
fd8b60 |
realm.run([kvno, realm.host_princ])
|
|
Packit |
fd8b60 |
msg = 'krbtgt/%s@%s\n\tEtype (skey, tkt): ' \
|
|
Packit |
fd8b60 |
'aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96' % \
|
|
Packit |
fd8b60 |
(realm.realm, realm.realm)
|
|
Packit |
fd8b60 |
realm.run([klist, '-e'], expected_msg=msg)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test that the KDC only accepts the first enctype for a kvno, for a
|
|
Packit |
fd8b60 |
# local-realm TGS request. To set this up, we abuse an edge-case
|
|
rpm-build |
1cb403 |
# behavior of modprinc -kvno. First, set up an aes128-sha2 krbtgt entry at
|
|
Packit |
fd8b60 |
# kvno 1 and cache a krbtgt ticket.
|
|
rpm-build |
1cb403 |
realm.run([kadminl, 'cpw', '-randkey', '-e', 'aes128-cts-hmac-sha256-128',
|
|
Packit |
fd8b60 |
realm.krbtgt_princ])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'modprinc', '-kvno', '1', realm.krbtgt_princ])
|
|
Packit |
fd8b60 |
realm.kinit(realm.user_princ, password('user'))
|
|
Packit |
fd8b60 |
# Add an AES krbtgt entry at kvno 2, and then reset it to kvno 1
|
|
Packit |
fd8b60 |
# (modprinc -kvno sets the kvno on all entries without deleting any).
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'cpw', '-randkey', '-keepold', '-e', 'aes256-cts',
|
|
Packit |
fd8b60 |
realm.krbtgt_princ])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'modprinc', '-kvno', '1', realm.krbtgt_princ])
|
|
Packit |
fd8b60 |
out = realm.run([kadminl, 'getprinc', realm.krbtgt_princ])
|
|
Packit |
fd8b60 |
if 'vno 1, aes256-cts' not in out or \
|
|
rpm-build |
1cb403 |
'vno 1, aes128-cts-hmac-sha256-128' not in out:
|
|
Packit |
fd8b60 |
fail('keyrollover: setup for TGS enctype test failed')
|
|
rpm-build |
1cb403 |
# Now present the aes128-sha2 ticket to the KDC and make sure it's rejected.
|
|
Packit |
fd8b60 |
realm.run([kvno, realm.host_princ], expected_code=1)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
realm.stop()
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test a cross-realm TGT key rollover scenario where realm 1 mimics
|
|
Packit |
fd8b60 |
# the Active Directory behavior of always using kvno 0 when issuing
|
|
Packit |
fd8b60 |
# cross-realm TGTs. The first kvno invocation caches a cross-realm
|
|
Packit |
fd8b60 |
# TGT with the old key, and the second kvno invocation sends it to
|
|
Packit |
fd8b60 |
# r2's KDC with no kvno to identify it, forcing the KDC to try
|
|
Packit |
fd8b60 |
# multiple keys.
|
|
Packit |
fd8b60 |
r1, r2 = cross_realms(2)
|
|
Packit |
fd8b60 |
crosstgt_princ = 'krbtgt/%s@%s' % (r2.realm, r1.realm)
|
|
Packit |
fd8b60 |
r1.run([kadminl, 'modprinc', '-kvno', '0', crosstgt_princ])
|
|
Packit |
fd8b60 |
r1.run([kvno, r2.host_princ])
|
|
Packit |
fd8b60 |
r2.run([kadminl, 'cpw', '-pw', 'newcross', '-keepold', crosstgt_princ])
|
|
Packit |
fd8b60 |
r1.run([kadminl, 'cpw', '-pw', 'newcross', crosstgt_princ])
|
|
Packit |
fd8b60 |
r1.run([kadminl, 'modprinc', '-kvno', '0', crosstgt_princ])
|
|
Packit |
fd8b60 |
r1.run([kvno, r2.user_princ])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
success('keyrollover')
|