diff options
Diffstat (limited to 'third_party/heimdal/tests/kdc/check-kdc.in')
| -rw-r--r-- | third_party/heimdal/tests/kdc/check-kdc.in | 1131 |
1 files changed, 1131 insertions, 0 deletions
diff --git a/third_party/heimdal/tests/kdc/check-kdc.in b/third_party/heimdal/tests/kdc/check-kdc.in new file mode 100644 index 0000000..307312e --- /dev/null +++ b/third_party/heimdal/tests/kdc/check-kdc.in @@ -0,0 +1,1131 @@ +#!/bin/sh +# +# Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan +# (Royal Institute of Technology, Stockholm, Sweden). +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# 3. Neither the name of the Institute nor the names of its contributors +# may be used to endorse or promote products derived from this software +# without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. + +top_builddir="@top_builddir@" +env_setup="@env_setup@" +objdir="@objdir@" + +. ${env_setup} + +KRB5_CONFIG="${1-${objdir}/krb5.conf}" +export KRB5_CONFIG + +testfailed="echo test failed; cat messages.log; exit 1" + +# If there is no useful db support compiled in, disable test +${have_db} || exit 77 + +R=TEST.H5L.SE +RH=TEST-HTTP.H5L.SE +R2=TEST2.H5L.SE +R3=TEST3.H5L.SE +R4=TEST4.H5L.SE +R5=SOME-REALM5.FR +R6=SOME-REALM6.US +R7=SOME-REALM7.UK +R8=SOME-REALM8.UK + +H1=H1.$R +H2=H2.$R +H3=H3.$H2 +H4=H4.$H2 + +r=`echo "$R" | tr '[A-Z]' '[a-z]'` +h1=`echo "${H1}" | tr '[A-Z]' '[a-z]'` +h2=`echo "${H2}" | tr '[A-Z]' '[a-z]'` +h3=`echo "${H3}" | tr '[A-Z]' '[a-z]'` +h4=`echo "${H4}" | tr '[A-Z]' '[a-z]'` + +port=@port@ +pwport=@pwport@ + +kadmin5="${kadmin} -l -r $R5" +kadmin="${kadmin} -l -r $R" +kdc="${kdc} --addresses=localhost -P $port" +kpasswdd="${kpasswdd} --addresses=localhost -p $pwport" + +server=host/datan.test.h5l.se +server2=host/computer.example.com +server3=host/refer-me-out.test.h5l.se +server4=host/no-auth-data-reqd.test.h5l.se +server5=host/a-host.refer-all-out.test.h5l.se +namespace=WELLKNOWN/HOSTBASED-NAMESPACE/_/refer-all-out.test.h5l.se +serverip=host/10.11.12.13 +serveripname=host/ip.test.h5l.org +serveripname2=host/10.11.12.14 +alias1=host/datan.example.com +alias2=host/datan +aliaskeytab=host/datan +cache="FILE:${objdir}/cache.krb5" +ocache="FILE:${objdir}/ocache.krb5" +o2cache="FILE:${objdir}/o2cache.krb5" +icache="FILE:${objdir}/icache.krb5" +keytabfile=${objdir}/server.keytab +keytab="FILE:${keytabfile}" +ps="proxy-service@${R}" +rps="restricted-proxy-service@${R}" +aesenctype="aes256-cts-hmac-sha1-96" + +kinit="${kinit} -c $cache ${afs_no_afslog}" +klist2="${klist} -c $o2cache" +klist="${klist} -c $cache" +kgetcred="${kgetcred} -c $cache" +kgetcred_imp="${kgetcred} -c $cache --out-cache=${ocache}" +kdestroy="${kdestroy} -c $cache ${afs_no_unlog}" +kimpersonate="${kimpersonate} -k ${keytab} --ccache=${ocache}" +test_set_kvno0="${test_set_kvno0} -c $cache" + +rm -f ${keytabfile} +rm -f current-db* +rm -f out-* +rm -f mkey.file* + +> messages.log + +echo Creating database +${kadmin} \ + init \ + --realm-max-ticket-life=1day \ + --realm-max-renewable-life=1month \ + ${R} || exit 1 + +${kadmin} \ + init \ + --realm-max-ticket-life=1day \ + --realm-max-renewable-life=1month \ + ${R2} || exit 1 + +${kadmin} \ + init \ + --realm-max-ticket-life=1day \ + --realm-max-renewable-life=1month \ + ${R3} || exit 1 + +${kadmin} \ + init \ + --realm-max-ticket-life=1day \ + --realm-max-renewable-life=1month \ + ${R4} || exit 1 + +${kadmin5} \ + init \ + --realm-max-ticket-life=1day \ + --realm-max-renewable-life=1month \ + ${R5} || exit 1 + +${kadmin} \ + init \ + --realm-max-ticket-life=1day \ + --realm-max-renewable-life=1month \ + ${R6} || exit 1 + +${kadmin} \ + init \ + --realm-max-ticket-life=1day \ + --realm-max-renewable-life=1month \ + ${R7} || exit 1 + +${kadmin} \ + init \ + --realm-max-ticket-life=1day \ + --realm-max-renewable-life=1month \ + ${R8} || exit 1 + +${kadmin} \ + init \ + --realm-max-ticket-life=1day \ + --realm-max-renewable-life=1month \ + ${H1} || exit 1 + +${kadmin} \ + init \ + --realm-max-ticket-life=1day \ + --realm-max-renewable-life=1month \ + ${H2} || exit 1 + +${kadmin} \ + init \ + --realm-max-ticket-life=1day \ + --realm-max-renewable-life=1month \ + ${H3} || exit 1 + +${kadmin} \ + init \ + --realm-max-ticket-life=1day \ + --realm-max-renewable-life=1month \ + ${H4} || exit 1 + +${kadmin} \ + init \ + --realm-max-ticket-life=1day \ + --realm-max-renewable-life=1month \ + ${RH} || exit 1 + +${kadmin} cpw -r krbtgt/${R}@${R} || exit 1 +${kadmin} cpw -r krbtgt/${R}@${R} || exit 1 +${kadmin} cpw -r krbtgt/${R}@${R} || exit 1 +${kadmin} cpw -r krbtgt/${R}@${R} || exit 1 + +${kadmin} add -p foo --use-defaults foo@${R} || exit 1 +${kadmin} add -p foo --use-defaults foo/host.${r}@${R} || exit 1 +${kadmin} add -p foo --use-defaults foo@${R2} || exit 1 +${kadmin} add -p foo --use-defaults foo@${R3} || exit 1 +${kadmin} add -p foo --use-defaults foo@${R4} || exit 1 +${kadmin5} add -p foo --use-defaults foo@${R5} || exit 1 +${kadmin} add -p foo --use-defaults foo@${R6} || exit 1 +${kadmin} add -p foo --use-defaults foo@${R7} || exit 1 +${kadmin} add -p foo --use-defaults foo@${R8} || exit 1 +${kadmin} add -p foo --use-defaults foo@${H1} || exit 1 +${kadmin} add -p foo --use-defaults foo/host.${h1}@${H1} || exit 1 +${kadmin} add -p foo --use-defaults foo@${H2} || exit 1 +${kadmin} add -p foo --use-defaults foo/host.${h2}@${H2} || exit 1 +${kadmin} add -p foo --use-defaults foo@${H3} || exit 1 +${kadmin} add -p foo --use-defaults foo/host.${h3}@${H3} || exit 1 +${kadmin} add -p foo --use-defaults foo@${H4} || exit 1 +${kadmin} add -p foo --use-defaults foo/host.${h4}@${H4} || exit 1 +${kadmin} add -p bar --use-defaults bar@${R} || exit 1 +${kadmin} add -p foo --use-defaults remove@${R} || exit 1 +${kadmin} add -p nop --use-defaults ${server}@${R} || exit 1 +${kadmin} cpw -p bla --keepold ${server}@${R} || exit 1 +${kadmin} cpw -p kaka --keepold ${server}@${R} || exit 1 +${kadmin} add -p kaka --use-defaults ${server}-des3@${R} || exit 1 +${kadmin} add -p kaka --use-defaults kt-des3@${R} || exit 1 +${kadmin} add -p kaka --use-defaults foo/des3-only@${R} || exit 1 +${kadmin} add -p kaka --use-defaults bar/des3-only@${R} || exit 1 +${kadmin} add -p kaka --use-defaults foo/aes-only@${R} || exit 1 + +${kadmin} add -p sens --use-defaults --attributes=disallow-forwardable sensitive@${R} || exit 1 +${kadmin} add -p foo --use-defaults ${ps} || exit 1 +${kadmin} modify --attributes=+trusted-for-delegation ${ps} || exit 1 +${kadmin} modify --constrained-delegation=${server} ${ps} || exit 1 +${kadmin} ext -k ${keytab} ${server}@${R} || exit 1 +${kadmin} ext -k ${keytab} ${ps} || exit 1 + +# Note: rps is not trusted-for-delegation +${kadmin} add -p foo --use-defaults ${rps} || exit 1 +${kadmin} modify --constrained-delegation=${server} ${rps} || exit 1 +${kadmin} ext -k ${keytab} ${rps} || exit 1 + +${kadmin} add -p kaka --use-defaults ${server2}@${R2} || exit 1 +${kadmin} ext -k ${keytab} ${server2}@${R2} || exit 1 +${kadmin} add -p foo --use-defaults WELLKNOWN/REFERRALS/TARGET@${R5} || exit 1 +${kadmin} add_alias WELLKNOWN/REFERRALS/TARGET@${R5} ${server3}@${R} || exit 1 +${kadmin5} add -p kaka --use-defaults ${server3}@${R5} || exit 1 +${kadmin5} ext -k ${keytab} ${server3}@${R5} || exit 1 +${kadmin} add_alias WELLKNOWN/REFERRALS/TARGET@${R5} ${namespace}@${R} || exit 1 +${kadmin5} add -p kaka --use-defaults ${server5}@${R5} || exit 1 +${kadmin5} ext -k ${keytab} ${server5}@${R5} || exit 1 +${kadmin} add -p kaka --use-defaults ${serverip}@${R} || exit 1 +${kadmin} ext -k ${keytab} ${serverip}@${R} || exit 1 +${kadmin} add -p kaka --use-defaults ${serveripname}@${R} || exit 1 +${kadmin} ext -k ${keytab} ${serveripname}@${R} || exit 1 +${kadmin} modify --alias=${serveripname2}@${R} ${serveripname}@${R} +${kadmin} add -p foo --use-defaults remove2@${R2} || exit 1 + +${kadmin} add -p nopac --use-defaults ${server4}@${R2} || exit 1 +${kadmin} modify --attributes=+no-auth-data-reqd ${server4}@${R2} || exit 1 +${kadmin} ext -k ${keytab} ${server4}@${R2} || exit 1 + +${kadmin} add -p kaka --use-defaults ${alias1}@${R} || exit 1 +${kadmin} ext -k ${keytab} ${alias1}@${R} || exit 1 +${kadmin} modify --alias=${alias2}@${R} ${alias1}@${R} + +${kadmin} add -p cross1 --use-defaults krbtgt/${R2}@${R} || exit 1 +${kadmin} modify --attributes=+no-auth-data-reqd krbtgt/${R2}@${R} || exit 1 +${kadmin} add -p cross2 --use-defaults krbtgt/${R}@${R2} || exit 1 + +${kadmin} add -p cross1 --use-defaults krbtgt/${R3}@${R2} || exit 1 +${kadmin} add -p cross2 --use-defaults krbtgt/${R2}@${R3} || exit 1 + +${kadmin} add -p cross1 --use-defaults krbtgt/${R4}@${R2} || exit 1 +${kadmin} add -p cross2 --use-defaults krbtgt/${R2}@${R4} || exit 1 + +${kadmin} add -p cross1 --use-defaults krbtgt/${R4}@${R3} || exit 1 +${kadmin} add -p cross2 --use-defaults krbtgt/${R3}@${R4} || exit 1 + +${kadmin} add -p cross1 --use-defaults krbtgt/${R5}@${R} || exit 1 +${kadmin5} add -p cross2 --use-defaults krbtgt/${R}@${R5} || exit 1 + +${kadmin5} add -p cross1 --use-defaults krbtgt/${R6}@${R5} || exit 1 +${kadmin} add -p cross2 --use-defaults krbtgt/${R5}@${R6} || exit 1 + +${kadmin} add -p cross1 --use-defaults krbtgt/${R7}@${R6} || exit 1 +${kadmin} add -p cross2 --use-defaults krbtgt/${R6}@${R7} || exit 1 + +${kadmin} add -p cross1 --use-defaults krbtgt/${R8}@${R6} || exit 1 +${kadmin} add -p cross2 --use-defaults krbtgt/${R6}@${R8} || exit 1 + +${kadmin} add -p cross1 --use-defaults krbtgt/${H1}@${R} || exit 1 +${kadmin} add -p cross2 --use-defaults krbtgt/${R}@${H1} || exit 1 + +${kadmin} add -p cross1 --use-defaults krbtgt/${H2}@${R} || exit 1 +${kadmin} add -p cross2 --use-defaults krbtgt/${R}@${H2} || exit 1 + +${kadmin} add -p cross1 --use-defaults krbtgt/${H3}@${H2} || exit 1 +${kadmin} add -p cross2 --use-defaults krbtgt/${H2}@${H3} || exit 1 + +${kadmin} add -p cross1 --use-defaults krbtgt/${H3}@${H4} || exit 1 +${kadmin} add -p cross2 --use-defaults krbtgt/${H4}@${H3} || exit 1 + +${kadmin} add -p foo --use-defaults pw-expire@${R} || exit 1 +${kadmin} modify --pw-expiration-time=+1day pw-expire@${R} || exit 1 + +${kadmin} add -p foo --use-defaults pw-expired@${R} || exit 1 +${kadmin} modify --pw-expiration-time=2012-06-12 pw-expired@${R} || exit 1 + +${kadmin} add -p foo --use-defaults account-expired@${R} || exit 1 +${kadmin} modify --expiration-time=2012-06-12 account-expired@${R} || exit 1 + +${kadmin} add -p foo --use-defaults foo@${RH} || exit 1 + +echo "Check parser" +${kadmin} add -p foo --use-defaults -- -p || exit 1 +${kadmin} delete -- -p || exit 1 + +echo "Doing database check" +${kadmin} check ${R} || exit 1 +${kadmin} check ${R2} || exit 1 +${kadmin} check ${R3} || exit 1 +${kadmin} check ${R4} || exit 1 +${kadmin5} check ${R5} || exit 1 +${kadmin} check ${R6} || exit 1 +${kadmin} check ${R7} || exit 1 +${kadmin} check ${R8} || exit 1 +${kadmin} check ${H1} || exit 1 +${kadmin} check ${H2} || exit 1 +${kadmin} check ${H3} || exit 1 +${kadmin} check ${H4} || exit 1 + +echo "Extracting enctypes" +${ktutil} -k ${keytab} list > tempfile || exit 1 +${EGREP} -v '^FILE:' tempfile | ${EGREP} -v '^Vno' | ${EGREP} -v '^$' | \ + ${EGREP} -v "$server" | # we did cpw for this one + awk '$1 !~ /1/ { exit 1 }' || exit 1 +${EGREP} -v '^FILE:' tempfile | ${EGREP} -v '^Vno' | ${EGREP} -v '^$' | \ + ${EGREP} "$server" | head -1 | + awk '$1 !~ /3/ { exit 1 }' || exit 1 + + +${kadmin} get foo@${R} > tempfile || exit 1 +enctypes=`grep Keytypes: tempfile | sed 's/(pw-salt)//g' | sed 's/,//g' | sed 's/Keytypes://' | sed 's/\[[0-9]*\]//g'` + +enctype_sans_aes=`echo $enctypes | sed 's/aes[^ ]*//g'` +enctype_sans_des3=`echo $enctypes | sed 's/des3-cbc-sha1//g'` + +echo "deleting all but des enctypes on kt-des3 in keytab" +${kadmin} ext -k ${keytab} kt-des3@${R} || exit 1 +for a in ${enctype_sans_des3} ; do + ${ktutil} -k ${keytab} remove -p kt-des3@${R} -e $a +done + +echo "checking globbing keys rules" +${kadmin} get foo/des3-only@${R} > tempfile || exit 1 +enctypes=`grep Keytypes: tempfile | sed 's/(pw-salt)//g' | sed 's/,//g' | sed 's/Keytypes://' | sed 's/\[[0-9]*\]//g' | sed 's/ //g'` +if [ X"$enctypes" != Xdes3-cbc-sha1 ] ; then + echo "des3 only is not only des3: $enctypes" + exit 1 +fi + +${kadmin} get foo/aes-only@${R} > tempfile || exit 1 +enctypes=`grep Keytypes: tempfile | sed 's/(pw-salt)//g' | sed 's/,//g' | sed 's/Keytypes://' | sed 's/\[[0-9]*\]//g' | sed 's/ //g'` +if [ X"$enctypes" != Xaes256-cts-hmac-sha1-96 ] ; then + echo "aes only is not only aes: $enctypes" + exit 1 +fi + + +echo foo > ${objdir}/foopassword +echo notfoo > ${objdir}/notfoopassword + +echo Starting kdc ; > messages.log +env MallocStackLogging=1 MallocStackLoggingNoCompact=1 MallocErrorAbort=1 MallocLogFile=${objdir}/malloc-log \ +${kdc} --detach --testing || + { echo "kdc failed to start"; cat messages.log; exit 1; } +kdcpid=`getpid kdc` + +echo Starting kpasswdd; > messages.log +env ${HEIM_MALLOC_DEBUG} ${kpasswdd} --detach || + { echo "kpasswdd failed to start"; exit 1; } +kpasswddpid=`getpid kpasswdd` + + +trap "kill -9 ${kdcpid} ${kpasswddpid}; echo signal killing kdc kpasswdd; exit 1;" EXIT + +ec=0 + +echo "Getting client initial tickets with wrong password"; > messages.log +${kadmin} modify --attributes=+disallow-client ${server} || exit 1 +${kinit} --password-file=${objdir}/notfoopassword \ + foo@${R} 2>kinit-log.tmp && \ + { ec=1 ; eval "${testfailed}"; } +grep 'Password incorrect' kinit-log.tmp > /dev/null || \ + { ec=1 ; eval "${testfailed}"; } +echo "Getting client initial tickets"; > messages.log +${kinit} --password-file=${objdir}/foopassword foo@$R || \ + { ec=1 ; eval "${testfailed}"; } +echo "Doing krbtgt key rollover"; > messages.log +${kadmin} cpw -r --keepold krbtgt/${R}@${R} || exit 1 +echo "Getting tickets"; > messages.log +${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } +echo "Listing tickets"; > messages.log +${klist} > /dev/null || { ec=1 ; eval "${testfailed}"; } +${test_ap_req} ${server}@${R} ${keytab} ${cache} || \ + { ec=1 ; eval "${testfailed}"; } +${kdestroy} + +echo "Getting client initial tickets (http transport)"; > messages.log +${kinit} --password-file=${objdir}/foopassword foo@${RH} || \ + { ec=1 ; eval "${testfailed}"; } +${kdestroy} + +echo "Testing capaths logic" +${kinit} --password-file=${objdir}/foopassword \ + -e ${aesenctype} -e ${aesenctype} \ + foo@$R || \ + { ec=1 ; eval "${testfailed}"; } + +echo "Getting x-realm tickets with capaths for $R -> $R2" +${kgetcred} foo@${R2} || { ec=1 ; eval "${testfailed}"; } +echo "Getting x-realm tickets with capaths for $R -> $R3" +${kgetcred} foo@${R3} || { ec=1 ; eval "${testfailed}"; } +echo "Getting x-realm tickets with capaths for $R -> $R4" +${kgetcred} foo@${R4} || { ec=1 ; eval "${testfailed}"; } +echo "Getting x-realm tickets with capaths for $R -> $R5" +${kgetcred} foo@${R5} || { ec=1 ; eval "${testfailed}"; } +echo "Getting x-realm tickets with capaths for $R -> $R6" +${kgetcred} foo@${R6} || { ec=1 ; eval "${testfailed}"; } +echo "Getting x-realm tickets with capaths for $R -> $R7" +${kgetcred} foo@${R7} || { ec=1 ; eval "${testfailed}"; } +echo "Should not get x-realm tickets with capaths for $R -> $R8" +${kgetcred} foo@${R8} && { ec=1 ; eval "${testfailed}"; } +${kdestroy} + +echo "Testing capaths logic (reverse order)" +${kinit} --password-file=${objdir}/foopassword \ + -e ${aesenctype} -e ${aesenctype} \ + foo@$R || \ + { ec=1 ; eval "${testfailed}"; } + +echo "Getting x-realm tickets with capaths for $R -> $R4" +${kgetcred} foo@${R4} || { ec=1 ; eval "${testfailed}"; } +echo "Getting x-realm tickets with capaths for $R -> $R3" +${kgetcred} foo@${R3} || { ec=1 ; eval "${testfailed}"; } +echo "Getting x-realm tickets with capaths for $R -> $R2" +${kgetcred} foo@${R2} || { ec=1 ; eval "${testfailed}"; } +echo "Getting x-realm tickets with capaths for $R -> $R7" +${kgetcred} foo@${R7} || { ec=1 ; eval "${testfailed}"; } +echo "Getting x-realm tickets with capaths for $R -> $R6" +${kgetcred} foo@${R6} || { ec=1 ; eval "${testfailed}"; } +echo "Getting x-realm tickets with capaths for $R -> $R5" +${kgetcred} foo@${R5} || { ec=1 ; eval "${testfailed}"; } +echo "Testing HDB referral entry" +${kgetcred} --canonicalize ${server3}@${R} || { ec=1 ; eval "${testfailed}"; } +echo "Testing HDB namespace referral entry" +${kgetcred} --canonicalize ${server5}@${R} || { ec=1 ; eval "${testfailed}"; } +${klist} +${kdestroy} + +echo "Testing hierarchical referral logic" +${kinit} --password-file=${objdir}/foopassword \ + -e ${aesenctype} -e ${aesenctype} \ + foo@${H3} || \ + { ec=1 ; eval "${testfailed}"; } + +echo "Getting x-realm tickets with HDB referral alias for $R1 -> $R3" +${kgetcred} --hostbased --canonicalize foo host.${h1} || { ec=1 ; eval "${testfailed}"; } +echo "Getting x-realm tickets with hierarchical referrals for $H3 -> $H1" +${kgetcred} --hostbased --canonicalize foo host.${h1} || { ec=1 ; eval "${testfailed}"; } +fgrep "cross-realm ${H3} -> ${H1} via [${H2}, ${R}]" messages.log > /dev/null || { ec=1 ; eval "${testfailed}"; } +echo "Getting x-realm tickets with hierarchical referrals for $H3 -> $R" +${kgetcred} --hostbased --canonicalize foo host.${r} || { ec=1 ; eval "${testfailed}"; } +fgrep "cross-realm ${H3} -> ${R} via [${H2}]" messages.log > /dev/null || { ec=1 ; eval "${testfailed}"; } +echo "Getting x-realm tickets with hierarchical referrals for $H3 -> $H2" +${kgetcred} --hostbased --canonicalize foo host.${h2} || { ec=1 ; eval "${testfailed}"; } +fgrep "cross-realm ${H3} -> ${H2}" messages.log > /dev/null || { ec=1 ; eval "${testfailed}"; } +${kdestroy} + +echo "Testing multi-hop [capaths] referral logic" +${kinit} --password-file=${objdir}/foopassword \ + -e ${aesenctype} -e ${aesenctype} \ + foo@${H4} || \ + { ec=1 ; eval "${testfailed}"; } + +echo "Getting x-realm tickets with [capaths] referrals for $H4 -> $H1" +${kgetcred} --hostbased --canonicalize foo/host.${h1}@${H4} || { ec=1 ; eval "${testfailed}"; } +${kdestroy} + +echo "Testing forwardable/renewable flag copying in TGS-REQ" +${kinit} -f --renewable -r 5d --password-file=${objdir}/foopassword foo@$R || \ + { ec=1 ; eval "${testfailed}"; } +${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } +${klist} -f | grep ${server} | grep FRA > /dev/null || \ + { ec=1 ; eval "${testfailed}"; } + +echo "Testing strip of forwardable when the server is disallowed in TGS-REQ" +${kgetcred} sensitive@${R} || { ec=1 ; eval "${testfailed}"; } +${klist} -f | grep sensitive | grep FRA > /dev/null && \ + { ec=1 ; eval "${testfailed}"; } + +echo "Specific enctype"; > messages.log +${kinit} --password-file=${objdir}/foopassword \ + -e ${aesenctype} -e ${aesenctype} \ + foo@$R || \ + { ec=1 ; eval "${testfailed}"; } + +for a in $enctypes; do + echo "Getting client initial tickets ($a)"; > messages.log + ${kinit} --enctype=$a --password-file=${objdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; } + echo "Getting tickets"; > messages.log + ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } + ${test_ap_req} ${server}@${R} ${keytab} ${cache} || { ec=1 ; eval "${testfailed}"; } + ${kdestroy} +done + + +echo "Getting client initial tickets"; > messages.log +${kinit} --password-file=${objdir}/foopassword foo@$R || \ + { ec=1 ; eval "${testfailed}"; } +for a in $enctypes; do + echo "Getting tickets ($a)"; > messages.log + ${kgetcred} -e $a ${server}@${R} || { ec=1 ; eval "${testfailed}"; } + ${test_ap_req} ${server}@${R} ${keytab} ${cache} || \ + { ec=1 ; eval "${testfailed}"; } + ${kdestroy} --credential=${server}@${R} +done +${kdestroy} + +echo "Getting client initial tickets without PAC"; > messages.log +${kinit} --no-request-pac --password-file=${objdir}/foopassword foo@$R || \ + { ec=1 ; eval "${testfailed}"; } +for a in $enctypes; do + echo "Getting tickets ($a)"; > messages.log + ${kgetcred} -e $a ${server}@${R} || { ec=1 ; eval "${testfailed}"; } + ${test_ap_req} ${server}@${R} ${keytab} ${cache} && \ + { ec=1 ; eval "${testfailed}"; } + ${test_ap_req} --no-verify-pac ${server}@${R} ${keytab} ${cache} || \ + { ec=1 ; eval "${testfailed}"; } + ${kdestroy} --credential=${server}@${R} +done +${kdestroy} + +echo "Getting client initial tickets with PAC"; > messages.log +${kinit} --request-pac --password-file=${objdir}/foopassword foo@$R || \ + { ec=1 ; eval "${testfailed}"; } +for a in $enctypes; do + echo "Getting tickets for PAC-less service principal ($a)"; > messages.log + ${kgetcred} -e $a ${server4}@${R2} || { ec=1 ; eval "${testfailed}"; } + ${test_ap_req} --verify-pac ${server4}@${R2} ${keytab} ${cache} && \ + { ec=1 ; eval "${testfailed}"; } + ${test_ap_req} --no-verify-pac ${server4}@${R2} ${keytab} ${cache} || \ + { ec=1 ; eval "${testfailed}"; } + ${kdestroy} --credential=${server4}@${R2} +done +${kdestroy} + +echo "Getting client initial tickets with PAC"; > messages.log +${kinit} --request-pac --password-file=${objdir}/foopassword foo@$R || \ + { ec=1 ; eval "${testfailed}"; } +for a in $enctypes; do + echo "Getting tickets for PAC-less service principal ($a)"; > messages.log + ${kgetcred} -e $a ${server4}@${R2} || { ec=1 ; eval "${testfailed}"; } + ${test_ap_req} --verify-pac ${server4}@${R2} ${keytab} ${cache} && \ + { ec=1 ; eval "${testfailed}"; } + ${test_ap_req} --no-verify-pac ${server4}@${R2} ${keytab} ${cache} || \ + { ec=1 ; eval "${testfailed}"; } + ${kdestroy} --credential=${server4}@${R2} +done +${kdestroy} + +echo "Getting client authenticated anonymous initial tickets"; > messages.log +${kinit} -n --password-file=${objdir}/foopassword foo@$R || \ + { ec=1 ; eval "${testfailed}"; } +for a in $enctypes; do + echo "Getting tickets ($a)"; > messages.log + ${kgetcred} -e $a ${server}@${R} || { ec=1 ; eval "${testfailed}"; } + ${test_ap_req} --no-verify-pac ${server}@${R} ${keytab} ${cache} || \ + { ec=1 ; eval "${testfailed}"; } + ${test_ap_req} --verify-pac ${server}@${R} ${keytab} ${cache} && \ + { ec=1 ; eval "${testfailed}"; } + ${kdestroy} --credential=${server}@${R} +done +${kdestroy} + +echo "Getting client anonymous service tickets"; > messages.log +${kinit} --password-file=${objdir}/foopassword foo@$R || \ + { ec=1 ; eval "${testfailed}"; } +for a in $enctypes; do + echo "Getting tickets ($a)"; > messages.log + ${kgetcred} -n -e $a ${server}@${R} || { ec=1 ; eval "${testfailed}"; } + ${test_ap_req} ${server}@${R} ${keytab} ${cache} || \ + { ec=1 ; eval "${testfailed}"; } + ${kdestroy} --credential=${server}@${R} +done +${kdestroy} + +echo "Getting client initial tickets for cross realm case (no-auth-data-reqd for ${R2})"; > messages.log +${kinit} --password-file=${objdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; } +for a in $enctypes; do + echo "Getting cross realm tickets ($a)"; > messages.log + ${kgetcred} -e $a ${server2}@${R2} || { ec=1 ; eval "${testfailed}"; } + echo " checking we we got back right ticket" + ${klist} | grep ${server2}@ > /dev/null || { ec=1 ; eval "${testfailed}"; } + echo " checking if ticket is useful" + ${test_ap_req} --no-verify-pac ${server2}@${R2} ${keytab} ${cache} || \ + { ec=1 ; eval "${testfailed}"; } + ${test_ap_req} --verify-pac ${server2}@${R2} ${keytab} ${cache} && \ + { ec=1 ; eval "${testfailed}"; } + ${kdestroy} --credential=${server2}@${R2} +done +${kdestroy} + +echo "Getting client initial tickets for cross realm case (w/ PAC)"; > messages.log +${kadmin} modify --attributes=-no-auth-data-reqd krbtgt/${R2}@${R} || exit 1 +${kinit} --password-file=${objdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; } +for a in $enctypes; do + echo "Getting cross realm tickets ($a)"; > messages.log + ${kgetcred} -e $a ${server2}@${R2} || { ec=1 ; eval "${testfailed}"; } + echo " checking we we got back right ticket" + ${klist} | grep ${server2}@ > /dev/null || { ec=1 ; eval "${testfailed}"; } + echo " checking if ticket is useful" + ${test_ap_req} --verify-pac ${server2}@${R2} ${keytab} ${cache} || \ + { ec=1 ; eval "${testfailed}"; } + ${kdestroy} --credential=${server2}@${R2} +done +${kdestroy} + +echo "Trying x-realm TGT with kvno 0 case"; +${kinit} --password-file=${objdir}/foopassword foo@$R || + { ec=1 ; eval "${testfailed}"; } +${test_set_kvno0} || { ec=1 ; eval "${testfailed}"; } +echo "Getting cross realm tickets"; > messages.log +${kgetcred} krbtgt/${R2}@${R} || { ec=1 ; eval "${testfailed}"; } +${test_set_kvno0} || { ec=1 ; eval "${testfailed}"; } +echo "Getting service ticket"; > messages.log +${kgetcred} ${server2}@${R2} || { ec=1 ; eval "${testfailed}"; } +${kdestroy} + +echo "Trying x-realm TGT with kvno 0 case with key rollover"; +${kinit} --password-file=${objdir}/foopassword foo@$R || + { ec=1 ; eval "${testfailed}"; } +${test_set_kvno0} || { ec=1 ; eval "${testfailed}"; } +echo "Getting cross realm tickets"; > messages.log +${kgetcred} krbtgt/${R2}@${R} || { ec=1 ; eval "${testfailed}"; } +echo "Rolling over cross realm keys"; > messages.log +${kadmin} cpw -r --keepold krbtgt/${R}@${R} || { ec=1 ; eval "${testfailed}"; } +${kadmin} cpw -r --keepold krbtgt/${R2}@${R} || { ec=1 ; eval "${testfailed}"; } +${kadmin} cpw -r --keepold krbtgt/${R}@${R2} || { ec=1 ; eval "${testfailed}"; } +${test_set_kvno0} || { ec=1 ; eval "${testfailed}"; } +echo "Getting service ticket"; > messages.log +echo "Start tracing kdc, then hit return" +${kgetcred} ${server2}@${R2} || { ec=1 ; eval "${testfailed}"; } +${kdestroy} + +echo "Trying x-realm TGT with no kvno case"; +${kinit} --password-file=${objdir}/foopassword foo@$R || + { ec=1 ; eval "${testfailed}"; } +${test_set_kvno0} -n || { ec=1 ; eval "${testfailed}"; } +echo "Getting cross realm tickets"; > messages.log +${kgetcred} krbtgt/${R2}@${R} || { ec=1 ; eval "${testfailed}"; } +${test_set_kvno0} -n || { ec=1 ; eval "${testfailed}"; } +echo "Getting service ticket"; > messages.log +${kgetcred} ${server2}@${R2} || { ec=1 ; eval "${testfailed}"; } +${kdestroy} + +echo "Trying x-realm TGT with no kvno case with key rollover"; +${kinit} --password-file=${objdir}/foopassword foo@$R || + { ec=1 ; eval "${testfailed}"; } +${test_set_kvno0} -n || { ec=1 ; eval "${testfailed}"; } +echo "Getting cross realm tickets"; > messages.log +${kgetcred} krbtgt/${R2}@${R} || { ec=1 ; eval "${testfailed}"; } +echo "Rolling over cross realm keys"; > messages.log +${kadmin} cpw -r --keepold krbtgt/${R}@${R} || { ec=1 ; eval "${testfailed}"; } +${kadmin} cpw -r --keepold krbtgt/${R2}@${R} || { ec=1 ; eval "${testfailed}"; } +${kadmin} cpw -r --keepold krbtgt/${R}@${R2} || { ec=1 ; eval "${testfailed}"; } +${test_set_kvno0} -n || { ec=1 ; eval "${testfailed}"; } +echo "Getting service ticket"; > messages.log +echo "Start tracing kdc, then hit return" +${kgetcred} ${server2}@${R2} || { ec=1 ; eval "${testfailed}"; } +${kdestroy} + +echo "try all permutations"; > messages.log +for a in $enctypes; do + echo "Getting client initial tickets ($a)"; > messages.log + ${kinit} --enctype=$a --password-file=${objdir}/foopassword foo@$R || \ + { ec=1 ; eval "${testfailed}"; } + for b in $enctypes; do + echo "Getting tickets ($a -> $b)"; > messages.log + ${kgetcred} -e $b ${server}@${R} || \ + { ec=1 ; eval "${testfailed}"; } + ${test_ap_req} ${server}@${R} ${keytab} ${cache} || \ + { ec=1 ; eval "${testfailed}"; } + ${kdestroy} --credential=${server}@${R} + done + ${kdestroy} +done + +echo "Getting client initial tickets ip based name"; > messages.log +${kinit} --password-file=${objdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; } +echo "Getting ip based name tickets"; > messages.log +${kgetcred} ${serverip}@${R} || { ec=1 ; eval "${testfailed}"; } +echo " checking we we got back right ticket" +${klist} | grep ${serverip}@ > /dev/null || { ec=1 ; eval "${testfailed}"; } +echo " checking if ticket is useful" +${test_ap_req} ${serverip}@${R} ${keytab} ${cache} || \ + { ec=1 ; eval "${testfailed}"; } +${kdestroy} + +echo "Getting client initial tickets ip based name (alias)"; > messages.log +${kinit} --password-file=${objdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; } +for a in ${serveripname} ${serveripname2} ; do + echo "Getting ip based name tickets (alias) $a"; > messages.log + ${kgetcred} ${a}@${R} || { ec=1 ; eval "${testfailed}"; } + echo " checking we we got back right ticket" + ${klist} | grep ${a}@ > /dev/null || { ec=1 ; eval "${testfailed}"; } + echo " checking if ticket is useful" + ${test_ap_req} --server-any ${a}@${R} ${keytab} ${cache} || \ + { ec=1 ; eval "${testfailed}"; } +done +${kdestroy} + +echo "Getting server initial tickets"; > messages.log +${kinit} --keytab=${keytab} ${server}@$R && { ec=1 ; eval "${testfailed}"; } +${kadmin} modify --attributes=-disallow-client ${server} || exit 1 +${kinit} --keytab=${keytab} ${server}@$R || { ec=1 ; eval "${testfailed}"; } +echo "Listing tickets"; > messages.log +${klist} | grep "Principal: ${server}" > /dev/null || \ + { ec=1 ; eval "${testfailed}"; } +${kdestroy} + +echo "Getting key for key that are a subset in keytab compared to kdb" +${kinit} --keytab=${keytab} kt-des3@${R} +${klist} | grep "Principal: kt-des3" > /dev/null || \ + { ec=1 ; eval "${testfailed}"; } +${kdestroy} + +echo "initial tickets for deleted user test case"; > messages.log +${kinit} --password-file=${objdir}/foopassword remove@$R || \ + { ec=1 ; eval "${testfailed}"; } +${kadmin} delete remove@${R} || { ec=1 ; eval "${testfailed}"; } +echo "try getting ticket with deleted user"; > messages.log +${kgetcred} ${server}@${R} 2> /dev/null && { ec=1 ; eval "${testfailed}"; } +${kdestroy} + +echo "cross realm case (deleted user)"; > messages.log +${kinit} --password-file=${objdir}/foopassword remove2@$R2 || \ + { ec=1 ; eval "${testfailed}"; } +${kgetcred} krbtgt/${R}@${R2} 2> /dev/null || \ + { ec=1 ; eval "${testfailed}"; } +${kadmin} delete remove2@${R2} || exit 1 +${kgetcred} ${server}@${R} 2> /dev/null || \ + { ec=1 ; eval "${testfailed}"; } +${kdestroy} + +echo "rename user"; > messages.log +${kadmin} add -p foo --use-defaults rename@${R} || exit 1 +${kinit} --password-file=${objdir}/foopassword rename@${R} || \ + { ec=1 ; eval "${testfailed}"; } +${kadmin} rename rename@${R} rename2@${R} || exit 1 +${kinit} --password-file=${objdir}/foopassword rename2@${R} || \ + { ec=1 ; eval "${testfailed}"; } +${kdestroy} +${kadmin} delete rename2@${R} || exit 1 + +echo "rename user to another realm"; > messages.log +${kadmin} add -p foo --use-defaults rename@${R} || exit 1 +${kinit} --password-file=${objdir}/foopassword rename@${R} || \ + { ec=1 ; eval "${testfailed}"; } +${kadmin} rename rename@${R} rename@${R2} || exit 1 +${kinit} --password-file=${objdir}/foopassword rename@${R2} || \ + { ec=1 ; eval "${testfailed}"; } +${kdestroy} +${kadmin} delete rename@${R2} || exit 1 + +echo deleting all but aes enctypes on krbtgt +${kadmin} del_enctype krbtgt/${R}@${R} ${enctype_sans_aes} || exit 1 + +echo deleting all but des enctypes on server-des3 +${kadmin} del_enctype ${server}-des3@${R} ${enctype_sans_des3} || exit 1 +${kadmin} ext -k ${keytab} ${server}-des3@${R} || exit 1 + +echo "try all permutations (only aes)"; > messages.log +for a in $enctypes; do + echo "Getting client initial tickets ($a)"; > messages.log + ${kinit} --enctype=$a --password-file=${objdir}/foopassword foo@${R} ||\ + { ec=1 ; eval "${testfailed}"; } + for b in $enctypes; do + echo "Getting tickets ($a -> $b)"; > messages.log + ${kgetcred} -e $b ${server}@${R} || \ + { ec=1 ; eval "${testfailed}"; } + ${test_ap_req} ${server}@${R} ${keytab} ${cache} || \ + { ec=1 ; eval "${testfailed}"; } + + echo "Getting tickets ($a -> $b) (server des3 only)"; > messages.log + ${kgetcred} ${server}-des3@${R} || \ + { ec=1 ; eval "${testfailed}"; } + ${test_ap_req} ${server}-des3@${R} ${keytab} ${cache} || \ + { ec=1 ; eval "${testfailed}"; } + + ${kdestroy} --credential=${server}@${R} + ${kdestroy} --credential=${server}-des3@${R} + done + ${kdestroy} +done + +echo deleting all enctypes on krbtgt +${kadmin} del_enctype krbtgt/${R}@${R} aes256-cts-hmac-sha1-96 || \ + { ec=1 ; eval "${testfailed}"; } +echo "try initial ticket w/o and keys on krbtgt" +${kinit} --password-file=${objdir}/foopassword foo@${R} 2>/dev/null && \ + { ec=1 ; eval "${testfailed}"; } +echo "adding random aes key" +${kadmin} add_enctype -r krbtgt/${R}@${R} aes256-cts-hmac-sha1-96 || \ + { ec=1 ; eval "${testfailed}"; } +echo "try initial ticket with random aes key on krbtgt" +${kinit} --password-file=${objdir}/foopassword foo@${R} || \ + { ec=1 ; eval "${testfailed}"; } +${kdestroy} + +rsa=yes +ecdsa=yes +pkinit=no +if ${hxtool} info | grep 'rsa: hx509 null RSA' > /dev/null ; then + rsa=no +fi +if ${hxtool} info | grep 'rand: not available' > /dev/null ; then + rsa=no +fi +if ${kinit} --help 2>&1 | grep "CA certificates" > /dev/null; then + pkinit=yes +fi + +if ${hxtool} info | grep 'ecdsa: hcrypto null' > /dev/null ; then + ecdsa=no +fi + + +# If we support pkinit and have RSA, lets try that +if test "$pkinit" = yes -a "$rsa" = yes ; then + + echo "try anonymous pkinit"; > messages.log + ${kinit} --renewable -n @${R} || \ + { ec=1 ; eval "${testfailed}"; } + ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } + ${kinit} --renew || { ec=1 ; eval "${testfailed}"; } + ${kdestroy} + + for type in "" "--pk-use-enckey"; do + echo "Trying pk-init (principal in certificate) $type"; > messages.log + ${kinit} $type -C FILE:${hx509_data}/pkinit.crt,${hx509_data}/pkinit.key bar@${R} || \ + { ec=1 ; eval "${testfailed}"; } + ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } + ${kdestroy} + + echo "Trying pk-init (principal in pki-mapping) $type"; > messages.log + ${kinit} $type -C FILE:${hx509_data}/pkinit.crt,${hx509_data}/pkinit.key foo@${R} || \ + { ec=1 ; eval "${testfailed}"; } + ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } + ${kdestroy} + + echo "Trying pk-init (password protected key) $type"; > messages.log + ${kinit} $type -C FILE:${hx509_data}/pkinit.crt,${hx509_data}/pkinit-pw.key --password-file=${objdir}/foopassword foo@${R} || \ + { ec=1 ; eval "${testfailed}"; } + ${kgetcred} ${server}@${R} || \ + { ec=1 ; eval "${testfailed}"; } + ${kdestroy} + + echo "Trying pk-init (proxy cert) $type"; > messages.log + ${kinit} $type -C FILE:${hx509_data}/pkinit-proxy-chain.crt,${hx509_data}/pkinit-proxy.key foo@${R} || \ + { ec=1 ; eval "${testfailed}"; } + ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } + ${kdestroy} + + done + + if test "$ecdsa" = yes > /dev/null ; then + echo "Trying pk-init (ec certificate)" + > messages.log + ${kinit} -C FILE:${hx509_data}/pkinit-ec.crt,${hx509_data}/pkinit-ec.key bar@${R} || \ + { ec=1 ; eval "${testfailed}"; } + ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } + ${kdestroy} + grep 'PKINIT using ecdh' messages.log > /dev/null || \ + { ec=1 ; eval "${testfailed}"; } + fi + +else + echo "no pkinit (pkinit: $pkinit, rsa: $rsa)"; > messages.log +fi + +echo "test impersonate using rc4 based tgt"; > messages.log +${kinit} -e arcfour-hmac-md5 --forwardable --password-file=${objdir}/foopassword ${ps} || \ + { ec=1 ; eval "${testfailed}"; } +${kgetcred_imp} --impersonate=bar@${R} ${ps} || \ + { ec=1 ; eval "${testfailed}"; } +${test_ap_req} ${ps} ${keytab} ${ocache} || \ + { ec=1 ; eval "${testfailed}"; } + +echo "tickets for impersonate test case"; > messages.log +${kinit} --forwardable --password-file=${objdir}/foopassword ${ps} || \ + { ec=1 ; eval "${testfailed}"; } +${kgetcred_imp} --impersonate=bar@${R} ${ps} || \ + { ec=1 ; eval "${testfailed}"; } +${test_ap_req} ${ps} ${keytab} ${ocache} || \ + { ec=1 ; eval "${testfailed}"; } +echo " negative check" +${kgetcred_imp} --impersonate=bar@${R} foo@${R} 2>/dev/null && \ + { ec=1 ; eval "${testfailed}"; } + +echo "test impersonate unknown client"; > messages.log +${kgetcred_imp} --forward --impersonate=unknown@${R} ${ps} && \ + { ec=1 ; eval "${testfailed}"; } + +echo "test impersonate account-expired client"; > messages.log +${kgetcred_imp} --forward --impersonate=account-expired@${R} ${ps} && \ + { ec=1 ; eval "${testfailed}"; } + +echo "test impersonate pw-expired client"; > messages.log +${kgetcred_imp} --forward --impersonate=pw-expired@${R} ${ps} || \ + { ec=1 ; eval "${testfailed}"; } + +echo "test delegate sensitive client"; > messages.log +${kgetcred_imp} --forward --impersonate=sensitive@${R} ${ps} || \ + { ec=1 ; eval "${testfailed}"; } +${kgetcred} \ + --out-cache=${o2cache} \ + --delegation-credential-cache=${ocache} \ + ${server}@${R} && \ + { ec=1 ; eval "${testfailed}"; } + +echo "test constrained delegation (evidence from impersonation)"; > messages.log +${kgetcred_imp} --forward --impersonate=bar@${R} ${ps} || \ + { ec=1 ; eval "${testfailed}"; } +${kgetcred} \ + --out-cache=${o2cache} \ + --delegation-credential-cache=${ocache} \ + ${server}@${R} || \ + { ec=1 ; eval "${testfailed}"; } +echo " try using the credential" +${test_ap_req} ${server}@${R} ${keytab} ${o2cache} || \ + { ec=1 ; eval "${testfailed}"; } +echo " negative check" +${kgetcred} \ + --out-cache=${o2cache} \ + --delegation-credential-cache=${ocache} \ + bar@${R} 2>/dev/null && \ + { ec=1 ; eval "${testfailed}"; } + +echo "test constrained delegation evidence (evidence from TGS)"; > messages.log +echo bar > ${objdir}/barpassword +${kinit} --cache=${icache} --forwardable --password-file=${objdir}/barpassword bar@${R} || \ + { ec=1 ; eval "${testfailed}"; } +${kgetcred} --cache=${icache} --out-cache=${ocache} ${ps} || \ + { ec=1 ; eval "${testfailed}"; } +# Bug #816 have a regular ticket in ${cache} for ${server} see that it isn't used +${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } +${kgetcred} \ + --out-cache=${o2cache} \ + --delegation-credential-cache=${ocache} \ + ${server}@${R} || \ + { ec=1 ; eval "${testfailed}"; } +${klist2} | grep "Principal: bar@${R}" || { ec=1 ; eval "${testfailed}"; } +echo " try using the credential" +${test_ap_req} ${server}@${R} ${keytab} ${o2cache} || \ + { ec=1 ; eval "${testfailed}"; } +echo " negative check" +${kgetcred} \ + --out-cache=${o2cache} \ + --delegation-credential-cache=${ocache} \ + bar@${R} 2>/dev/null && \ + { ec=1 ; eval "${testfailed}"; } + +echo "test constrained delegation with foreign client (evidence from TGS)"; > messages.log +# We can't test foreign client with evidence from S4U2Self, since Heimdal doesn't support it yet +rm -f ocache.krb5 +${kinit} --cache=${icache} --forwardable --password-file=${objdir}/foopassword foo@${R2} || \ + { ec=1 ; eval "${testfailed}"; } +${kgetcred} --cache=${icache} --out-cache=${ocache} ${ps} || \ + { ec=1 ; eval "${testfailed}"; } +${kgetcred} \ + --out-cache=${o2cache} \ + --delegation-credential-cache=${ocache} \ + ${server}@${R} || \ + { ec=1 ; eval "${testfailed}"; } +${klist2} | grep "Principal: foo@${R2}" || { ec=1 ; eval "${testfailed}"; } +echo " try using the credential" +${test_ap_req} ${server}@${R} ${keytab} ${o2cache} || \ + { ec=1 ; eval "${testfailed}"; } + +echo "test constrained delegation impersonation (non forward)"; > messages.log +rm -f ocache.krb5 +${kimpersonate} -s ${ps} -c bar@${R} -t ${aesenctype} || \ + { ec=1 ; eval "${testfailed}"; } +${kgetcred} --out-cache=${o2cache} --delegation-credential-cache=${ocache} ${server}@${R} > /dev/null 2>/dev/null && \ + { ec=1 ; eval "${testfailed}"; } + +echo "test constrained delegation evidence (evidence from AS)"; > messages.log +# This fails because we don't add PAC ticket-signature in AS-REP (as Windows). +${kinit} --cache=${ocache} --password-file=${objdir}/barpassword \ + --forwardable --server=${ps} bar@${R} || \ + { ec=1 ; eval "${testfailed}"; } +${kgetcred} --delegation-credential-cache=${ocache} ${server}@${R} && \ + { ec=1 ; eval "${testfailed}"; } + +echo "test constrained delegation impersonation (missing PAC)"; > messages.log +rm -f ocache.krb5 +${kimpersonate} -s ${ps} -c bar@${R} -t ${aesenctype} -f forwardable || \ + { ec=1 ; eval "${testfailed}"; } +${kgetcred} --out-cache=${o2cache} --delegation-credential-cache=${ocache} ${server}@${R} > /dev/null 2>/dev/null && \ + { ec=1 ; eval "${testfailed}"; } + +${kdestroy} + +echo "test constrained delegation NOT trusted-for-delegation (evidence from TGS)"; > messages.log + +${kinit} --forwardable --password-file=${objdir}/foopassword ${rps} || \ + { ec=1 ; eval "${testfailed}"; } +${kinit} --cache=${icache} --forwardable --password-file=${objdir}/barpassword bar@${R} || \ + { ec=1 ; eval "${testfailed}"; } +${kgetcred} --cache=${icache} --out-cache=${ocache} ${rps} || \ + { ec=1 ; eval "${testfailed}"; } +${kgetcred} \ + --out-cache=${o2cache} \ + --delegation-credential-cache=${ocache} \ + ${server}@${R} || \ + { ec=1 ; eval "${testfailed}"; } +${klist2} | grep "Principal: bar@${R}" || { ec=1 ; eval "${testfailed}"; } +${test_ap_req} ${server}@${R} ${keytab} ${o2cache} || \ + { ec=1 ; eval "${testfailed}"; } + +echo "test constrained delegation NOT trusted-for-delegation (evidence from impersonate, negative)"; > messages.log +rm -f ocache.krb5 +${kgetcred_imp} --impersonate=bar@${R} ${rps} || \ + { ec=1 ; eval "${testfailed}"; } +${test_ap_req} ${rps} ${keytab} ${ocache} || \ + { ec=1 ; eval "${testfailed}"; } +${kgetcred} \ + --out-cache=${o2cache} \ + --delegation-credential-cache=${ocache} \ + ${server}@${R} && \ + { ec=1 ; eval "${testfailed}"; } + +echo "test constrained delegation bronze-bit attack, aka CVE-2020-17049"; > messages.log + +KRB5CCNAME=${ocache} KRB5_KTNAME=${keytab} ${test_mkforwardable} ${rps} ${icache} || \ +{ ec=1 ; eval "${testfailed}"; } + +${kgetcred} \ + --out-cache=${o2cache} \ + --delegation-credential-cache=${icache} \ + ${server}@${R} && \ + { ec=1 ; eval "${testfailed}"; } +${kdestroy} + +echo "check renewing" > messages.log +${kinit} --renewable --password-file=${objdir}/foopassword foo@$R || \ + { ec=1 ; eval "${testfailed}"; } +echo "kinit -R" +${kinit} -R || \ + { ec=1 ; eval "${testfailed}"; } +echo "check renewing MIT interface" > messages.log +${kinit} --renewable --password-file=${objdir}/foopassword foo@$R || \ + { ec=1 ; eval "${testfailed}"; } +echo "test_renew" +env KRB5CCNAME=${cache} ${test_renew} || \ + { ec=1 ; eval "${testfailed}"; } +${kdestroy} + +echo "checking server aliases"; > messages.log +${kinit} --password-file=${objdir}/foopassword foo@$R || \ + { ec=1 ; eval "${testfailed}"; } +echo "Getting tickets"; > messages.log +${kgetcred} ${alias1}@${R} || { ec=1 ; eval "${testfailed}"; } +${kgetcred} ${alias2}@${R} || { ec=1 ; eval "${testfailed}"; } +echo " verify entry in keytab" +${test_ap_req} ${alias1}@${R} ${keytab} ${cache} || \ + { ec=1 ; eval "${testfailed}"; } +echo " verify entry in keytab with any" +${test_ap_req} --server-any ${alias1}@${R} ${keytab} ${cache} || \ + { ec=1 ; eval "${testfailed}"; } +echo " verify failure with alias entry" +${test_ap_req} ${alias2}@${R} ${keytab} ${cache} 2>/dev/null && \ + { ec=1 ; eval "${testfailed}"; } +echo " verify alias entry in keytab with any" +${test_ap_req} --server-any ${alias2}@${R} ${keytab} ${cache} || \ + { ec=1 ; eval "${testfailed}"; } +${kdestroy} + +echo "testing removal of keytab" +${ktutil} -k ${keytab} destroy || { ec=1 ; eval "${testfailed}"; } +test -f ${keytabfile} && { ec=1 ; eval "${testfailed}"; } + +echo "Checking client pw expire"; > messages.log +${kinit} --password-file=${objdir}/foopassword \ + pw-expire@${R} 2>kinit-log.tmp|| \ + { ec=1 ; eval "${testfailed}"; } +grep 'Your password will expire' kinit-log.tmp > /dev/null || \ + { ec=1 ; eval "${testfailed}"; } +echo " kinit passes" +${test_gic} --client=pw-expire@${R} --password=foo > kinit-log.tmp 2>/dev/null +${EGREP} "^e type: 6" kinit-log.tmp > /dev/null || \ + { ec=1 ; eval "${testfailed}"; } +echo " test_gic passes" +${kdestroy} + +echo "Checking password expiration" ; > messages.log + +kinitpty=${objdir}/foopassword.rkpty +cat > ${kinitpty} <<EOF +expect Password +password foo\n +expect Password has expired +expect New password +password Foobar11\n +expect password +password Foobar11\n +expect Success: Password changed +EOF + +echo "Checking client pw expire"; > messages.log +${rkpty} ${kinitpty} ${kinit} pw-expired@${R}|| \ + { ec=1 ; eval "${testfailed}"; } + +${kdestroy} + + +echo "killing kdc (${kdcpid}) kpasswdd (${kpasswddpid})" +sh ${leaks_kill} kdc $kdcpid || exit 1 +sh ${leaks_kill} kpasswdd $kpasswddpid || exit 1 + +trap "" EXIT + +exit $ec |