from k5test import *
realm = K5Realm(create_user=False, create_host=False)
# Create a principal with no keys.
realm.run([kadminl, 'addprinc', '-nokey', 'user'])
realm.run([kadminl, 'getprinc', 'user'], expected_msg='Number of keys: 0')
# Change its password and check the resulting kvno.
realm.run([kadminl, 'cpw', '-pw', 'password', 'user'])
realm.run([kadminl, 'getprinc', 'user'], expected_msg='vno 1')
# Delete all of its keys.
realm.run([kadminl, 'purgekeys', '-all', 'user'])
realm.run([kadminl, 'getprinc', 'user'], expected_msg='Number of keys: 0')
# Randomize its keys and check the resulting kvno.
realm.run([kadminl, 'cpw', '-randkey', 'user'])
realm.run([kadminl, 'getprinc', 'user'], expected_msg='vno 1')
# Return true if patype appears to have been received in a hint list
# from a KDC error message, based on the trace file fname.
def preauth_type_received(trace, patype):
found = False
for line in trace.splitlines():
if 'Processing preauth types:' in line:
ind = line.find('types:')
patypes = line[ind + 6:].split(', ')
if str(patype) in patypes:
found = True
return found
# Make sure the KDC doesn't offer encrypted timestamp for a principal
# with no keys.
realm.run([kadminl, 'purgekeys', '-all', 'user'])
realm.run([kadminl, 'modprinc', '+requires_preauth', 'user'])
out, trace = realm.run([kinit, 'user'], expected_code=1, return_trace=True)
if preauth_type_received(trace, 2):
fail('encrypted timestamp')
# Make sure it doesn't offer encrypted challenge either.
realm.run([kadminl, 'addprinc', '-pw', 'fast', 'armor'])
realm.kinit('armor', 'fast')
out, trace = realm.run([kinit, '-T', realm.ccache, 'user'], expected_code=1,
return_trace=True)
if preauth_type_received(trace, 138):
fail('encrypted challenge')
success('Key data tests')