blob: a9c18d9d2b40b722baf07e3b0431807541966b2e (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
|
#!/bin/bash
set -e
set -o pipefail
realm="EXAMPLE.FAKE"
myhostname="sshd-gssapi.${realm,,}"
testuser="testuser$$"
adduser --quiet --disabled-password --gecos "" "${testuser}"
password="secret"
user_principal="${testuser}@${realm}"
service_principal="host/${myhostname}"
source debian/tests/util
cleanup() {
if [ $? -ne 0 ]; then
echo "## Something failed"
echo
echo "## klist"
klist
echo
echo "## ssh server log"
journalctl -b -u ssh.service --lines 100
echo
echo "## Kerberos KDC logs"
journalctl -b -u krb5-kdc.service --lines 100
echo
echo "## Kerberos Admin server logs"
journalctl -b -u krb5-admin-server.service --lines 100
echo
echo "## Skipping cleanup to facilitate troubleshooting"
else
echo "## ALL TESTS PASSED"
echo "## Cleaning up"
rm -f /etc/krb5.keytab
rm -f /etc/ssh/sshd_config.d/gssapi.conf
rm -f /etc/ssh/ssh_config.d/gssapi.conf
rm -f /etc/ssh/ssh_config.d/dep8.conf
fi
}
trap cleanup EXIT
setup() {
echo "## Setting up test environment"
adjust_hostname "${myhostname}"
echo "## Creating Kerberos realm ${realm}"
create_realm "${realm}" "${myhostname}"
echo "## Creating principals"
kadmin.local -q "addprinc -clearpolicy -pw ${password} ${user_principal}"
kadmin.local -q "addprinc -clearpolicy -randkey ${service_principal}"
echo "## Extracting service principal ${service_principal}"
kadmin.local -q "ktadd -k /etc/krb5.keytab ${service_principal}"
cat > /etc/ssh/ssh_config.d/dep8.conf <<EOF
Host *
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
EOF
echo "## Adjusting /etc/krb5.conf"
cat > /etc/krb5.conf <<EOF
[libdefaults]
default_realm = ${realm}
rdns = false
forwardable = true
dns_lookup_kdc = falase
dns_uri_lookup = false
dns_lookup_realm = false
[realms]
${realm} = {
kdc = ${myhostname}
admin_server = ${myhostname}
}
EOF
}
configure_sshd() {
local auth_method="${1}"
if [ "${auth_method}" = "gssapi-with-mic" ]; then
# server
echo "## Configuring sshd for ${auth_method} authentication"
cat > /etc/ssh/sshd_config.d/gssapi.conf <<EOF
GSSAPIAuthentication yes
GSSAPIKeyExchange no
GSSAPICleanupCredentials yes
PubkeyAuthentication no
AuthenticationMethods ${auth_method}
EOF
# client
cat > /etc/ssh/ssh_config.d/gssapi.conf <<EOF
Host *
GSSAPIAuthentication yes
GSSAPIKeyExchange no
PubkeyAuthentication no
EOF
elif [ "${auth_method}" = "gssapi-keyex" ]; then
# server
echo "## Configuring sshd for ${auth_method} authentication"
cat > /etc/ssh/sshd_config.d/gssapi.conf <<EOF
GSSAPIAuthentication yes
GSSAPIKeyExchange yes
GSSAPICleanupCredentials yes
PubkeyAuthentication no
AuthenticationMethods ${auth_method}
EOF
# client
cat > /etc/ssh/ssh_config.d/gssapi.conf <<EOF
Host *
GSSAPIAuthentication yes
GSSAPIKeyExchange yes
PubkeyAuthentication no
EOF
else
echo "## ERROR: unknown auth_method \"${auth_method}\""
return 1
fi
echo "## Restarting ssh"
systemctl restart ssh.service
}
_test_ssh_login() {
local auth_method="${1}"
kdestroy 2>/dev/null || :
configure_sshd "${auth_method}" || return $?
echo "## Obtaining TGT"
echo "${password}" | timeout --verbose 30 kinit "${user_principal}" || return $?
klist
echo
echo "## ssh'ing into localhost using ${auth_method} auth"
timeout --verbose 30 ssh "${testuser}@${myhostname}" date || return $?
echo
echo "## checking that we got a service ticket for ssh (host/)"
klist | grep -F "${service_principal}" || return $?
echo
echo "## Checking ssh logs to confirm ${auth_method} auth was used"
journalctl -u ssh.service -b --grep "Accepted ${auth_method}"
}
test_gssapi_login() {
local auth_method="gssapi-with-mic"
_test_ssh_login "${auth_method}"
}
test_gssapi_keyex_login() {
local auth_method="gssapi-keyex"
_test_ssh_login "${auth_method}"
}
setup
echo "## TESTS"
echo
run_test test_gssapi_login
run_test test_gssapi_keyex_login
|
