|
Packit |
fd8b60 |
from k5test import *
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
for realm in multipass_realms(create_user=False):
|
|
Packit |
fd8b60 |
# Test kinit with a keytab.
|
|
Packit |
fd8b60 |
realm.kinit(realm.host_princ, flags=['-k'])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
realm = K5Realm(get_creds=False, start_kadmind=True)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test kinit with a partial keytab.
|
|
Packit |
fd8b60 |
mark('partial keytab')
|
|
Packit |
fd8b60 |
pkeytab = realm.keytab + '.partial'
|
|
Packit |
fd8b60 |
realm.run([ktutil], input=('rkt %s\ndelent 1\nwkt %s\n' %
|
|
Packit |
fd8b60 |
(realm.keytab, pkeytab)))
|
|
Packit |
fd8b60 |
realm.kinit(realm.host_princ, flags=['-k', '-t', pkeytab])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test kinit with no keys for client in keytab.
|
|
Packit |
fd8b60 |
mark('no keys for client')
|
|
Packit |
fd8b60 |
realm.kinit(realm.user_princ, flags=['-k'], expected_code=1,
|
|
Packit |
fd8b60 |
expected_msg='no suitable keys')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test kinit and klist with client keytab defaults.
|
|
Packit |
fd8b60 |
mark('client keytab')
|
|
Packit |
fd8b60 |
realm.extract_keytab(realm.user_princ, realm.client_keytab);
|
|
Packit |
fd8b60 |
realm.run([kinit, '-k', '-i'])
|
|
Packit |
fd8b60 |
realm.klist(realm.user_princ)
|
|
Packit |
fd8b60 |
realm.run([kdestroy])
|
|
Packit |
fd8b60 |
realm.kinit(realm.user_princ, flags=['-k', '-i'])
|
|
Packit |
fd8b60 |
realm.klist(realm.user_princ)
|
|
Packit |
fd8b60 |
out = realm.run([klist, '-k', '-i'])
|
|
Packit |
fd8b60 |
if realm.client_keytab not in out or realm.user_princ not in out:
|
|
Packit |
fd8b60 |
fail('Expected output not seen from klist -k -i')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test implicit request for keytab (-i or -t without -k)
|
|
Packit |
fd8b60 |
mark('implicit -k')
|
|
Packit |
fd8b60 |
realm.run([kdestroy])
|
|
Packit |
fd8b60 |
realm.kinit(realm.host_princ, flags=['-t', realm.keytab],
|
|
Packit |
fd8b60 |
expected_msg='keytab specified, forcing -k')
|
|
Packit |
fd8b60 |
realm.klist(realm.host_princ)
|
|
Packit |
fd8b60 |
realm.run([kdestroy])
|
|
Packit |
fd8b60 |
realm.kinit(realm.user_princ, flags=['-i'],
|
|
Packit |
fd8b60 |
expected_msg='keytab specified, forcing -k')
|
|
Packit |
fd8b60 |
realm.klist(realm.user_princ)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test extracting keys with multiple key versions present.
|
|
Packit |
fd8b60 |
mark('multi-kvno extract')
|
|
Packit |
fd8b60 |
os.remove(realm.keytab)
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'cpw', '-randkey', '-keepold', realm.host_princ])
|
|
Packit |
fd8b60 |
out = realm.run([kadminl, 'ktadd', '-norandkey', realm.host_princ])
|
|
Packit |
fd8b60 |
if 'with kvno 1,' not in out or 'with kvno 2,' not in out:
|
|
Packit |
fd8b60 |
fail('Expected output not seen from kadmin.local ktadd -norandkey')
|
|
Packit |
fd8b60 |
out = realm.run([klist, '-k', '-e'])
|
|
Packit |
fd8b60 |
if ' 1 host/' not in out or ' 2 host/' not in out:
|
|
Packit |
fd8b60 |
fail('Expected output not seen from klist -k -e')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test again using kadmin over the network.
|
|
Packit |
fd8b60 |
mark('multi-kvno extract (via kadmin)')
|
|
Packit |
fd8b60 |
realm.prep_kadmin()
|
|
Packit |
fd8b60 |
os.remove(realm.keytab)
|
|
Packit |
fd8b60 |
out = realm.run_kadmin(['ktadd', '-norandkey', realm.host_princ])
|
|
Packit |
fd8b60 |
if 'with kvno 1,' not in out or 'with kvno 2,' not in out:
|
|
Packit |
fd8b60 |
fail('Expected output not seen from kadmin.local ktadd -norandkey')
|
|
Packit |
fd8b60 |
out = realm.run([klist, '-k', '-e'])
|
|
Packit |
fd8b60 |
if ' 1 host/' not in out or ' 2 host/' not in out:
|
|
Packit |
fd8b60 |
fail('Expected output not seen from klist -k -e')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test handling of kvno values beyond 255. Use kadmin over the
|
|
Packit |
fd8b60 |
# network since we used to have an 8-bit limit on kvno marshalling.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test one key rotation, verifying that the expected new kvno appears
|
|
Packit |
fd8b60 |
# in the keytab and in the principal entry.
|
|
Packit |
fd8b60 |
def test_key_rotate(realm, princ, expected_kvno):
|
|
Packit |
fd8b60 |
realm.run_kadmin(['ktadd', '-k', realm.keytab, princ])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'ktrem', princ, 'old'])
|
|
Packit |
fd8b60 |
realm.kinit(princ, flags=['-k'])
|
|
Packit |
fd8b60 |
msg = '%d %s' % (expected_kvno, princ)
|
|
Packit |
fd8b60 |
out = realm.run([klist, '-k'], expected_msg=msg)
|
|
Packit |
fd8b60 |
msg = 'Key: vno %d,' % expected_kvno
|
|
Packit |
fd8b60 |
out = realm.run_kadmin(['getprinc', princ], expected_msg=msg)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
mark('key rotation across boundaries')
|
|
Packit |
fd8b60 |
princ = 'foo/bar@%s' % realm.realm
|
|
Packit |
fd8b60 |
realm.addprinc(princ)
|
|
Packit |
fd8b60 |
os.remove(realm.keytab)
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'modprinc', '-kvno', '253', princ])
|
|
Packit |
fd8b60 |
test_key_rotate(realm, princ, 254)
|
|
Packit |
fd8b60 |
test_key_rotate(realm, princ, 255)
|
|
Packit |
fd8b60 |
test_key_rotate(realm, princ, 256)
|
|
Packit |
fd8b60 |
test_key_rotate(realm, princ, 257)
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'modprinc', '-kvno', '32766', princ])
|
|
Packit |
fd8b60 |
test_key_rotate(realm, princ, 32767)
|
|
Packit |
fd8b60 |
test_key_rotate(realm, princ, 32768)
|
|
Packit |
fd8b60 |
test_key_rotate(realm, princ, 32769)
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'modprinc', '-kvno', '65534', princ])
|
|
Packit |
fd8b60 |
test_key_rotate(realm, princ, 65535)
|
|
Packit |
fd8b60 |
test_key_rotate(realm, princ, 1)
|
|
Packit |
fd8b60 |
test_key_rotate(realm, princ, 2)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
mark('32-bit kvno')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test that klist -k can read a keytab entry without a 32-bit kvno and
|
|
Packit |
fd8b60 |
# reports the 8-bit key version.
|
|
Packit |
fd8b60 |
record = b'\x00\x01' # principal component count
|
|
Packit |
fd8b60 |
record += b'\x00\x0bKRBTEST.COM' # realm
|
|
Packit |
fd8b60 |
record += b'\x00\x04user' # principal component
|
|
Packit |
fd8b60 |
record += b'\x00\x00\x00\x01' # name type (NT-PRINCIPAL)
|
|
Packit |
fd8b60 |
record += b'\x54\xf7\x4d\x35' # timestamp
|
|
Packit |
fd8b60 |
record += b'\x02' # key version
|
|
Packit |
fd8b60 |
record += b'\x00\x12' # enctype
|
|
Packit |
fd8b60 |
record += b'\x00\x20' # key length
|
|
Packit |
fd8b60 |
record += b'\x00' * 32 # key bytes
|
|
Packit |
fd8b60 |
f = open(realm.keytab, 'wb')
|
|
Packit |
fd8b60 |
f.write(b'\x05\x02\x00\x00\x00' + bytes([len(record)]))
|
|
Packit |
fd8b60 |
f.write(record)
|
|
Packit |
fd8b60 |
f.close()
|
|
Packit |
fd8b60 |
msg = ' 2 %s' % realm.user_princ
|
|
Packit |
fd8b60 |
out = realm.run([klist, '-k'], expected_msg=msg)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Make sure zero-fill isn't treated as a 32-bit kvno.
|
|
Packit |
fd8b60 |
f = open(realm.keytab, 'wb')
|
|
Packit |
fd8b60 |
f.write(b'\x05\x02\x00\x00\x00' + bytes([len(record) + 4]))
|
|
Packit |
fd8b60 |
f.write(record)
|
|
Packit |
fd8b60 |
f.write(b'\x00\x00\x00\x00')
|
|
Packit |
fd8b60 |
f.close()
|
|
Packit |
fd8b60 |
msg = ' 2 %s' % realm.user_princ
|
|
Packit |
fd8b60 |
out = realm.run([klist, '-k'], expected_msg=msg)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Make sure a hand-crafted 32-bit kvno is recognized.
|
|
Packit |
fd8b60 |
f = open(realm.keytab, 'wb')
|
|
Packit |
fd8b60 |
f.write(b'\x05\x02\x00\x00\x00' + bytes([len(record) + 4]))
|
|
Packit |
fd8b60 |
f.write(record)
|
|
Packit |
fd8b60 |
f.write(b'\x00\x00\x00\x03')
|
|
Packit |
fd8b60 |
f.close()
|
|
Packit |
fd8b60 |
msg = ' 3 %s' % realm.user_princ
|
|
Packit |
fd8b60 |
out = realm.run([klist, '-k'], expected_msg=msg)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test parameter expansion in profile variables
|
|
Packit |
fd8b60 |
mark('parameter expansion')
|
|
Packit |
fd8b60 |
realm.stop()
|
|
Packit |
fd8b60 |
conf = {'libdefaults': {
|
|
Packit |
fd8b60 |
'default_keytab_name': 'testdir/%{null}abc%{uid}',
|
|
Packit |
fd8b60 |
'default_client_keytab_name': 'testdir/%{null}xyz%{uid}'}}
|
|
Packit |
fd8b60 |
realm = K5Realm(krb5_conf=conf, create_kdb=False)
|
|
Packit |
fd8b60 |
del realm.env['KRB5_KTNAME']
|
|
Packit |
fd8b60 |
del realm.env['KRB5_CLIENT_KTNAME']
|
|
Packit |
fd8b60 |
uidstr = str(os.getuid())
|
|
Packit |
fd8b60 |
msg = 'FILE:testdir/abc%s' % uidstr
|
|
Packit |
fd8b60 |
out = realm.run([klist, '-k'], expected_code=1, expected_msg=msg)
|
|
Packit |
fd8b60 |
msg = 'FILE:testdir/xyz%s' % uidstr
|
|
Packit |
fd8b60 |
out = realm.run([klist, '-ki'], expected_code=1, expected_msg=msg)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
conf = {'libdefaults': {'allow_weak_crypto': 'true'}}
|
|
Packit |
fd8b60 |
realm = K5Realm(create_user=False, create_host=False, krb5_conf=conf)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'ank', '-pw', 'pw', 'default'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'ank', '-e', 'aes256-cts:special', '-pw', 'pw', 'exp'])
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'ank', '-e', 'aes256-cts:special', '-pw', 'pw', '+preauth',
|
|
Packit |
fd8b60 |
'pexp'])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Extract one of the explicit salt values from the database.
|
|
Packit |
fd8b60 |
out = realm.run([kdb5_util, 'tabdump', 'keyinfo'])
|
|
Packit |
fd8b60 |
salt_dict = {f[0]: f[5] for f in [l.split('\t') for l in out.splitlines()]}
|
|
Packit |
fd8b60 |
exp_salt = bytes.fromhex(salt_dict['exp@KRBTEST.COM']).decode('ascii')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Create a keytab using ktutil addent with the specified options and
|
|
Packit |
fd8b60 |
# password "pw". Test that we can use it to get initial tickets.
|
|
Packit |
fd8b60 |
# Remove the keytab afterwards.
|
|
Packit |
fd8b60 |
def test_addent(realm, princ, opts):
|
|
Packit |
fd8b60 |
realm.run([ktutil], input=('addent -password -p %s -k 1 %s\npw\nwkt %s\n' %
|
|
Packit |
fd8b60 |
(princ, opts, realm.keytab)))
|
|
Packit |
fd8b60 |
realm.kinit(princ, flags=['-k'])
|
|
Packit |
fd8b60 |
os.remove(realm.keytab)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
mark('ktutil addent')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test with default salt.
|
|
Packit |
fd8b60 |
test_addent(realm, 'default', '-e aes128-cts')
|
|
Packit |
fd8b60 |
test_addent(realm, 'default', '-e aes256-cts')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test with a salt specified to ktutil addent.
|
|
Packit |
fd8b60 |
test_addent(realm, 'exp', '-e aes256-cts -s %s' % exp_salt)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test etype-info fetching.
|
|
Packit |
fd8b60 |
test_addent(realm, 'default', '-f')
|
|
Packit |
fd8b60 |
test_addent(realm, 'default', '-f -e aes128-cts')
|
|
Packit |
fd8b60 |
test_addent(realm, 'exp', '-f')
|
|
Packit |
fd8b60 |
test_addent(realm, 'pexp', '-f')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
success('Keytab-related tests')
|
|
Packit |
fd8b60 |
success('Keytab-related tests')
|