source-git / krb5

Clone
Source Code
GIT

Blame src/tests/t_rdreq.py

c8 c8s master
  1.   c8
  2.   src
  3.   tests
  4.   t_rdreq.py
Blob History Raw
Packit Service 99d1c0 
from k5test import *
Packit Service 99d1c0
Packit Service 99d1c0 
conf = {'realms': {'$realm': {'supported_enctypes': 'aes256-cts aes128-cts'}}}
Packit Service 99d1c0 
realm = K5Realm(create_host=False, kdc_conf=conf)
Packit Service 99d1c0
Packit Service 99d1c0 
# Define some server principal names.
Packit Service 99d1c0 
princ1 = 'host/1@%s' % realm.realm
Packit Service 99d1c0 
princ2 = 'host/2@%s' % realm.realm
Packit Service 99d1c0 
princ3 = 'HTTP/3@%s' % realm.realm
Packit Service 99d1c0 
princ4 = 'HTTP/4@%s' % realm.realm
Packit Service 99d1c0 
matchprinc = 'host/@'
Packit Service 99d1c0 
nomatchprinc = 'x/@'
Packit Service 99d1c0 
realm.addprinc(princ1)
Packit Service 99d1c0 
realm.addprinc(princ2)
Packit Service 99d1c0 
realm.addprinc(princ3)
Packit Service 99d1c0
Packit Service 99d1c0 
def test(tserver, server, expected):
Packit Service 99d1c0 
    args = ['./rdreq', tserver]
Packit Service 99d1c0 
    if server is not None:
Packit Service 99d1c0 
        args += [server]
Packit Service 99d1c0 
    out = realm.run(args)
Packit Service 99d1c0 
    if out.strip() != expected:
Packit Service 99d1c0 
        fail('unexpected rdreq output')
Packit Service 99d1c0
Packit Service 99d1c0
Packit Service 99d1c0 
# No keytab present.
Packit Service 99d1c0 
mark('no keytab')
Packit Service 99d1c0 
nokeytab_err = "45 Key table file '%s' not found" % realm.keytab
Packit Service 99d1c0 
test(princ1, None, nokeytab_err)
Packit Service 99d1c0 
test(princ1, princ1, nokeytab_err)
Packit Service 99d1c0 
test(princ1, matchprinc, nokeytab_err)
Packit Service 99d1c0
Packit Service 99d1c0 
# Keytab present, successful decryption.
Packit Service 99d1c0 
mark('success')
Packit Service 99d1c0 
realm.extract_keytab(princ1, realm.keytab)
Packit Service 99d1c0 
test(princ1, None, '0 success')
Packit Service 99d1c0 
test(princ1, princ1, '0 success')
Packit Service 99d1c0 
test(princ1, matchprinc, '0 success')
Packit Service 99d1c0
Packit Service 99d1c0 
# Explicit server principal not found in keytab.
Packit Service 99d1c0 
mark('explicit server not found')
Packit Service 99d1c0 
test(princ2, princ2, '45 No key table entry found for host/2@KRBTEST.COM')
Packit Service 99d1c0
Packit Service 99d1c0 
# Matching server principal does not match any entries in keytab (with
Packit Service 99d1c0 
# and without ticket server present in keytab).
Packit Service 99d1c0 
mark('matching server')
Packit Service 99d1c0 
nomatch_err = '45 Server principal x/@ does not match any keys in keytab'
Packit Service 99d1c0 
test(princ1, nomatchprinc, nomatch_err)
Packit Service 99d1c0 
test(princ2, nomatchprinc, nomatch_err)
Packit Service 99d1c0
Packit Service 99d1c0 
# Ticket server does not match explicit server principal (with and
Packit Service 99d1c0 
# without ticket server present in keytab).
Packit Service 99d1c0 
mark('ticket server mismatch')
Packit Service 99d1c0 
test(princ1, princ2, '45 No key table entry found for host/2@KRBTEST.COM')
Packit Service 99d1c0 
test(princ2, princ1,
Packit Service 99d1c0 
     '35 Cannot decrypt ticket for host/2@KRBTEST.COM using keytab key for '
Packit Service 99d1c0 
     'host/1@KRBTEST.COM')
Packit Service 99d1c0
Packit Service 99d1c0 
# Ticket server not found in keytab during iteration.
Packit Service 99d1c0 
mark('ticket server not found')
Packit Service 99d1c0 
test(princ2, None,
Packit Service 99d1c0 
     '35 Request ticket server host/2@KRBTEST.COM not found in keytab '
Packit Service 99d1c0 
     '(ticket kvno 1)')
Packit Service 99d1c0
Packit Service 99d1c0 
# Ticket server found in keytab but is not matched by server principal
Packit Service 99d1c0 
# (but other principals in keytab do match).
Packit Service 99d1c0 
mark('ticket server mismatch (matching)')
Packit Service 99d1c0 
realm.extract_keytab(princ3, realm.keytab)
Packit Service 99d1c0 
test(princ3, matchprinc,
Packit Service 99d1c0 
     '35 Request ticket server HTTP/3@KRBTEST.COM found in keytab but does '
Packit Service 99d1c0 
     'not match server principal host/@')
Packit Service 99d1c0
Packit Service 99d1c0 
# Service ticket is out of date.
Packit Service 99d1c0 
mark('outdated service ticket')
Packit Service 99d1c0 
os.remove(realm.keytab)
Packit Service 99d1c0 
realm.run([kadminl, 'ktadd', princ1])
Packit Service 99d1c0 
test(princ1, None,
Packit Service 99d1c0 
     '44 Request ticket server host/1@KRBTEST.COM kvno 1 not found in keytab; '
Packit Service 99d1c0 
     'ticket is likely out of date')
Packit Service 99d1c0 
test(princ1, princ1,
Packit Service 99d1c0 
     '44 Cannot find key for host/1@KRBTEST.COM kvno 1 in keytab')
Packit Service 99d1c0
Packit Service 99d1c0 
# kvno mismatch due to ticket principal mismatch with explicit server.
Packit Service 99d1c0 
mark('ticket server mismatch (kvno)')
Packit Service 99d1c0 
test(princ2, princ1,
Packit Service 99d1c0 
     '35 Cannot find key for host/1@KRBTEST.COM kvno 1 in keytab (request '
Packit Service 99d1c0 
     'ticket server host/2@KRBTEST.COM)')
Packit Service 99d1c0
Packit Service 99d1c0 
# Keytab is out of date.
Packit Service 99d1c0 
mark('outdated keytab')
Packit Service 99d1c0 
realm.run([kadminl, 'cpw', '-randkey', princ1])
Packit Service 99d1c0 
realm.kinit(realm.user_princ, password('user'))
Packit Service 99d1c0 
test(princ1, None,
Packit Service 99d1c0 
     '44 Request ticket server host/1@KRBTEST.COM kvno 3 not found in keytab; '
Packit Service 99d1c0 
     'keytab is likely out of date')
Packit Service 99d1c0 
test(princ1, princ1,
Packit Service 99d1c0 
     '44 Cannot find key for host/1@KRBTEST.COM kvno 3 in keytab')
Packit Service 99d1c0
Packit Service 99d1c0 
# Ticket server and kvno found but not with ticket enctype.
Packit Service 99d1c0 
mark('missing enctype')
Packit Service 99d1c0 
os.remove(realm.keytab)
Packit Service 99d1c0 
realm.extract_keytab(princ1, realm.keytab)
Packit Service 99d1c0 
pkeytab = realm.keytab + '.partial'
Packit Service 99d1c0 
realm.run([ktutil], input=('rkt %s\ndelent 1\nwkt %s\n' %
Packit Service 99d1c0 
                           (realm.keytab, pkeytab)))
Packit Service 99d1c0 
os.rename(pkeytab, realm.keytab)
Packit Service 99d1c0 
realm.run([klist, '-ke'])
Packit Service 99d1c0 
test(princ1, None,
Packit Service 99d1c0 
     '44 Request ticket server host/1@KRBTEST.COM kvno 3 found in keytab but '
Packit Service 99d1c0 
     'not with enctype aes256-cts')
Packit Service 99d1c0 
# This is a bad code (KRB_AP_ERR_NOKEY) and message, because
Packit Service 99d1c0 
# krb5_kt_get_entry returns the same result for this and not finding
Packit Service 99d1c0 
# the principal at all.  But it's an uncommon case; GSSAPI apps
Packit Service 99d1c0 
# usually use a matching principal and missing key enctypes are rare.
Packit Service 99d1c0 
test(princ1, princ1, '45 No key table entry found for host/1@KRBTEST.COM')
Packit Service 99d1c0
Packit Service 99d1c0 
# Ticket server, kvno, and enctype matched, but key does not work.
Packit Service 99d1c0 
mark('wrong key')
Packit Service 99d1c0 
realm.run([kadminl, 'cpw', '-randkey', princ1])
Packit Service 99d1c0 
realm.run([kadminl, 'modprinc', '-kvno', '3', princ1])
Packit Service 99d1c0 
os.remove(realm.keytab)
Packit Service 99d1c0 
realm.extract_keytab(princ1, realm.keytab)
Packit Service 99d1c0 
test(princ1, None,
Packit Service 99d1c0 
     '31 Request ticket server host/1@KRBTEST.COM kvno 3 enctype aes256-cts '
Packit Service 99d1c0 
     'found in keytab but cannot decrypt ticket')
Packit Service 99d1c0 
test(princ1, princ1,
Packit Service 99d1c0 
     '31 Cannot decrypt ticket for host/1@KRBTEST.COM using keytab key for '
Packit Service 99d1c0 
     'host/1@KRBTEST.COM')
Packit Service 99d1c0
Packit Service 99d1c0 
# Test that aliases work.  The ticket server (princ4) isn't present in
Packit Service 99d1c0 
# keytab, but there is a usable princ1 entry with the same key.
Packit Service 99d1c0 
mark('aliases')
Packit Service 99d1c0 
realm.run([kadminl, 'renprinc', princ1, princ4])
Packit Service 99d1c0 
test(princ4, None, '0 success')
Packit Service 99d1c0 
test(princ4, princ1, '0 success')
Packit Service 99d1c0 
test(princ4, matchprinc, '0 success')
Packit Service 99d1c0
Packit Service 99d1c0 
success('krb5_rd_req tests')

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation