summaryrefslogtreecommitdiffstats
path: root/debian/tests/ssh-gssapi
diff options
context:
space:
mode:
Diffstat (limited to 'debian/tests/ssh-gssapi')
-rwxr-xr-xdebian/tests/ssh-gssapi158
1 files changed, 158 insertions, 0 deletions
diff --git a/debian/tests/ssh-gssapi b/debian/tests/ssh-gssapi
new file mode 100755
index 0000000..a9c18d9
--- /dev/null
+++ b/debian/tests/ssh-gssapi
@@ -0,0 +1,158 @@
+#!/bin/bash
+
+set -e
+set -o pipefail
+
+realm="EXAMPLE.FAKE"
+myhostname="sshd-gssapi.${realm,,}"
+testuser="testuser$$"
+adduser --quiet --disabled-password --gecos "" "${testuser}"
+password="secret"
+user_principal="${testuser}@${realm}"
+service_principal="host/${myhostname}"
+
+source debian/tests/util
+
+cleanup() {
+ if [ $? -ne 0 ]; then
+ echo "## Something failed"
+ echo
+ echo "## klist"
+ klist
+ echo
+ echo "## ssh server log"
+ journalctl -b -u ssh.service --lines 100
+ echo
+ echo "## Kerberos KDC logs"
+ journalctl -b -u krb5-kdc.service --lines 100
+ echo
+ echo "## Kerberos Admin server logs"
+ journalctl -b -u krb5-admin-server.service --lines 100
+ echo
+ echo "## Skipping cleanup to facilitate troubleshooting"
+ else
+ echo "## ALL TESTS PASSED"
+ echo "## Cleaning up"
+ rm -f /etc/krb5.keytab
+ rm -f /etc/ssh/sshd_config.d/gssapi.conf
+ rm -f /etc/ssh/ssh_config.d/gssapi.conf
+ rm -f /etc/ssh/ssh_config.d/dep8.conf
+ fi
+}
+
+trap cleanup EXIT
+
+setup() {
+ echo "## Setting up test environment"
+ adjust_hostname "${myhostname}"
+ echo "## Creating Kerberos realm ${realm}"
+ create_realm "${realm}" "${myhostname}"
+ echo "## Creating principals"
+ kadmin.local -q "addprinc -clearpolicy -pw ${password} ${user_principal}"
+ kadmin.local -q "addprinc -clearpolicy -randkey ${service_principal}"
+ echo "## Extracting service principal ${service_principal}"
+ kadmin.local -q "ktadd -k /etc/krb5.keytab ${service_principal}"
+ cat > /etc/ssh/ssh_config.d/dep8.conf <<EOF
+Host *
+ StrictHostKeyChecking no
+ UserKnownHostsFile /dev/null
+EOF
+ echo "## Adjusting /etc/krb5.conf"
+ cat > /etc/krb5.conf <<EOF
+[libdefaults]
+ default_realm = ${realm}
+ rdns = false
+ forwardable = true
+ dns_lookup_kdc = falase
+ dns_uri_lookup = false
+ dns_lookup_realm = false
+
+[realms]
+ ${realm} = {
+ kdc = ${myhostname}
+ admin_server = ${myhostname}
+ }
+EOF
+}
+
+configure_sshd() {
+ local auth_method="${1}"
+
+ if [ "${auth_method}" = "gssapi-with-mic" ]; then
+ # server
+ echo "## Configuring sshd for ${auth_method} authentication"
+ cat > /etc/ssh/sshd_config.d/gssapi.conf <<EOF
+GSSAPIAuthentication yes
+GSSAPIKeyExchange no
+GSSAPICleanupCredentials yes
+PubkeyAuthentication no
+AuthenticationMethods ${auth_method}
+EOF
+ # client
+ cat > /etc/ssh/ssh_config.d/gssapi.conf <<EOF
+Host *
+ GSSAPIAuthentication yes
+ GSSAPIKeyExchange no
+ PubkeyAuthentication no
+EOF
+ elif [ "${auth_method}" = "gssapi-keyex" ]; then
+ # server
+ echo "## Configuring sshd for ${auth_method} authentication"
+ cat > /etc/ssh/sshd_config.d/gssapi.conf <<EOF
+GSSAPIAuthentication yes
+GSSAPIKeyExchange yes
+GSSAPICleanupCredentials yes
+PubkeyAuthentication no
+AuthenticationMethods ${auth_method}
+EOF
+ # client
+ cat > /etc/ssh/ssh_config.d/gssapi.conf <<EOF
+Host *
+ GSSAPIAuthentication yes
+ GSSAPIKeyExchange yes
+ PubkeyAuthentication no
+EOF
+ else
+ echo "## ERROR: unknown auth_method \"${auth_method}\""
+ return 1
+ fi
+ echo "## Restarting ssh"
+ systemctl restart ssh.service
+}
+
+_test_ssh_login() {
+ local auth_method="${1}"
+
+ kdestroy 2>/dev/null || :
+ configure_sshd "${auth_method}" || return $?
+ echo "## Obtaining TGT"
+ echo "${password}" | timeout --verbose 30 kinit "${user_principal}" || return $?
+ klist
+ echo
+ echo "## ssh'ing into localhost using ${auth_method} auth"
+ timeout --verbose 30 ssh "${testuser}@${myhostname}" date || return $?
+ echo
+ echo "## checking that we got a service ticket for ssh (host/)"
+ klist | grep -F "${service_principal}" || return $?
+ echo
+ echo "## Checking ssh logs to confirm ${auth_method} auth was used"
+ journalctl -u ssh.service -b --grep "Accepted ${auth_method}"
+}
+
+test_gssapi_login() {
+ local auth_method="gssapi-with-mic"
+
+ _test_ssh_login "${auth_method}"
+}
+
+test_gssapi_keyex_login() {
+ local auth_method="gssapi-keyex"
+
+ _test_ssh_login "${auth_method}"
+}
+
+setup
+echo "## TESTS"
+echo
+run_test test_gssapi_login
+run_test test_gssapi_keyex_login