summaryrefslogtreecommitdiffstats
path: root/debian/tests/ssh-gssapi
blob: b2c136c8149180d2ee2ab8629c84d747b2c1e434 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
#!/bin/bash

set -e
set -o pipefail

realm="EXAMPLE.FAKE"
myhostname="sshd-gssapi.${realm,,}"
testuser="testuser$$"
adduser --quiet --disabled-password --gecos "" "${testuser}"
password="secret"
user_principal="${testuser}@${realm}"
service_principal="host/${myhostname}"

source debian/tests/util

cleanup() {
    if [ $? -ne 0 ]; then
        echo "## Something failed"
        echo
        echo "## klist"
        klist
        echo
        echo "## ssh server log"
        journalctl -b -u ssh.service --lines 100
        echo
        echo "## Kerberos KDC logs"
        journalctl -b -u krb5-kdc.service --lines 100
        echo
        echo "## Kerberos Admin server logs"
        journalctl -b -u krb5-admin-server.service --lines 100
        echo
        echo "## Skipping cleanup to facilitate troubleshooting"
    else
        echo "## ALL TESTS PASSED"
        echo "## Cleaning up"
        rm -f /etc/krb5.keytab
        rm -f /etc/ssh/sshd_config.d/gssapi.conf
        rm -f /etc/ssh/ssh_config.d/gssapi.conf
        rm -f /etc/ssh/ssh_config.d/dep8.conf
    fi
}

trap cleanup EXIT

setup() {
    echo "## Setting up test environment"
    adjust_hostname "${myhostname}"
    echo "## Creating Kerberos realm ${realm}"
    create_realm "${realm}" "${myhostname}"
    echo "## Creating principals"
    kadmin.local -q "addprinc -clearpolicy -pw ${password} ${user_principal}"
    kadmin.local -q "addprinc -clearpolicy -randkey ${service_principal}"
    echo "## Extracting service principal ${service_principal}"
    kadmin.local -q "ktadd -k /etc/krb5.keytab ${service_principal}"
    cat > /etc/ssh/ssh_config.d/dep8.conf <<EOF
Host *
    StrictHostKeyChecking no
    UserKnownHostsFile /dev/null
EOF
    echo "## Adjusting /etc/krb5.conf"
    cat > /etc/krb5.conf <<EOF
[libdefaults]
    default_realm = ${realm}
    rdns = false
    forwardable = true
    dns_lookup_kdc = false
    dns_uri_lookup = false
    dns_lookup_realm = false

[realms]
    ${realm} = {
        kdc = ${myhostname}
        admin_server = ${myhostname}
    }
EOF
}

configure_sshd() {
    local auth_method="${1}"

    if [ "${auth_method}" = "gssapi-with-mic" ]; then
        # server
        echo "## Configuring sshd for ${auth_method} authentication"
        cat > /etc/ssh/sshd_config.d/gssapi.conf <<EOF
GSSAPIAuthentication yes
GSSAPIKeyExchange no
GSSAPICleanupCredentials yes
PubkeyAuthentication no
AuthenticationMethods ${auth_method}
EOF
    # client
    cat > /etc/ssh/ssh_config.d/gssapi.conf <<EOF
Host *
    GSSAPIAuthentication yes
    GSSAPIKeyExchange no
    PubkeyAuthentication no
EOF
    elif [ "${auth_method}" = "gssapi-keyex" ]; then
        # server
        echo "## Configuring sshd for ${auth_method} authentication"
        cat > /etc/ssh/sshd_config.d/gssapi.conf <<EOF
GSSAPIAuthentication yes
GSSAPIKeyExchange yes
GSSAPICleanupCredentials yes
PubkeyAuthentication no
AuthenticationMethods ${auth_method}
EOF
    # client
    cat > /etc/ssh/ssh_config.d/gssapi.conf <<EOF
Host *
    GSSAPIAuthentication yes
    GSSAPIKeyExchange yes
    PubkeyAuthentication no
EOF
    else
        echo "## ERROR: unknown auth_method \"${auth_method}\""
        return 1
    fi
    echo "## Restarting ssh"
    systemctl restart ssh.service
}

_test_ssh_login() {
    local auth_method="${1}"

    kdestroy 2>/dev/null || :
    configure_sshd "${auth_method}" || return $?
    echo "## Obtaining TGT"
    echo "${password}" | timeout --verbose 30 kinit "${user_principal}" || return $?
    klist
    echo
    echo "## ssh'ing into localhost using ${auth_method} auth"
    timeout --verbose 30 ssh "${testuser}@${myhostname}" date || return $?
    echo
    echo "## checking that we got a service ticket for ssh (host/)"
    klist | grep -F "${service_principal}" || return $?
    echo
    echo "## Checking ssh logs to confirm ${auth_method} auth was used"
    journalctl -u ssh.service -b --grep "Accepted ${auth_method}"
}

test_gssapi_login() {
    local auth_method="gssapi-with-mic"

    _test_ssh_login "${auth_method}"
}

test_gssapi_keyex_login() {
    local auth_method="gssapi-keyex"

    _test_ssh_login "${auth_method}"
}

setup
echo "## TESTS"
echo
run_test test_gssapi_login
run_test test_gssapi_keyex_login