3 # Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
4 # (Royal Institute of Technology, Stockholm, Sweden).
7 # Redistribution and use in source and binary forms, with or without
8 # modification, are permitted provided that the following conditions
11 # 1. Redistributions of source code must retain the above copyright
12 # notice, this list of conditions and the following disclaimer.
14 # 2. Redistributions in binary form must reproduce the above copyright
15 # notice, this list of conditions and the following disclaimer in the
16 # documentation and/or other materials provided with the distribution.
18 # 3. Neither the name of the Institute nor the names of its contributors
19 # may be used to endorse or promote products derived from this software
20 # without specific prior written permission.
22 # THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
23 # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 # ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
26 # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 top_builddir
="@top_builddir@"
35 env_setup
="@env_setup@"
40 KRB5_CONFIG
="${1-${objdir}/krb5.conf}"
43 testfailed
="echo test failed; cat messages.log; exit 1"
45 # If there is no useful db support compiled in, disable test
63 r
=`echo "$R" | tr '[A-Z]' '[a-z]'`
64 h1
=`echo "${H1}" | tr '[A-Z]' '[a-z]'`
65 h2
=`echo "${H2}" | tr '[A-Z]' '[a-z]'`
66 h3
=`echo "${H3}" | tr '[A-Z]' '[a-z]'`
67 h4
=`echo "${H4}" | tr '[A-Z]' '[a-z]'`
72 kadmin5
="${kadmin} -l -r $R5"
73 kadmin
="${kadmin} -l -r $R"
74 kdc
="${kdc} --addresses=localhost -P $port"
75 kpasswdd
="${kpasswdd} --addresses=localhost -p $pwport"
77 server
=host
/datan.
test.h5l.se
78 server2
=host
/computer.example.com
79 server3
=host
/refer-me-out.
test.h5l.se
80 server4
=host
/no-auth-data-reqd.
test.h5l.se
81 serverip
=host
/10.11.12.13
82 serveripname
=host
/ip.
test.h5l.org
83 serveripname2
=host
/10.11.12.14
84 alias1
=host
/datan.example.com
86 aliaskeytab
=host
/datan
87 cache
="FILE:${objdir}/cache.krb5"
88 ocache
="FILE:${objdir}/ocache.krb5"
89 o2cache
="FILE:${objdir}/o2cache.krb5"
90 icache
="FILE:${objdir}/icache.krb5"
91 keytabfile
=${objdir}/server.keytab
92 keytab
="FILE:${keytabfile}"
93 ps
="proxy-service@${R}"
94 rps
="restricted-proxy-service@${R}"
95 aesenctype
="aes256-cts-hmac-sha1-96"
97 kinit
="${kinit} -c $cache ${afs_no_afslog}"
98 klist2
="${klist} -c $o2cache"
99 klist
="${klist} -c $cache"
100 kgetcred
="${kgetcred} -c $cache"
101 kgetcred_imp
="${kgetcred} -c $cache --out-cache=${ocache}"
102 kdestroy
="${kdestroy} -c $cache ${afs_no_unlog}"
103 kimpersonate
="${kimpersonate} -k ${keytab} --ccache=${ocache}"
104 test_set_kvno0
="${test_set_kvno0} -c $cache"
113 echo Creating database
116 --realm-max-ticket-life=1day \
117 --realm-max-renewable-life=1month \
122 --realm-max-ticket-life=1day \
123 --realm-max-renewable-life=1month \
128 --realm-max-ticket-life=1day \
129 --realm-max-renewable-life=1month \
134 --realm-max-ticket-life=1day \
135 --realm-max-renewable-life=1month \
140 --realm-max-ticket-life=1day \
141 --realm-max-renewable-life=1month \
146 --realm-max-ticket-life=1day \
147 --realm-max-renewable-life=1month \
152 --realm-max-ticket-life=1day \
153 --realm-max-renewable-life=1month \
158 --realm-max-ticket-life=1day \
159 --realm-max-renewable-life=1month \
164 --realm-max-ticket-life=1day \
165 --realm-max-renewable-life=1month \
170 --realm-max-ticket-life=1day \
171 --realm-max-renewable-life=1month \
176 --realm-max-ticket-life=1day \
177 --realm-max-renewable-life=1month \
182 --realm-max-ticket-life=1day \
183 --realm-max-renewable-life=1month \
188 --realm-max-ticket-life=1day \
189 --realm-max-renewable-life=1month \
192 ${kadmin} cpw -r krbtgt/${R}@${R} ||
exit 1
193 ${kadmin} cpw -r krbtgt/${R}@${R} ||
exit 1
194 ${kadmin} cpw -r krbtgt/${R}@${R} ||
exit 1
195 ${kadmin} cpw -r krbtgt/${R}@${R} ||
exit 1
197 ${kadmin} add
-p foo
--use-defaults foo@
${R} ||
exit 1
198 ${kadmin} add -p foo --use-defaults foo/host.${r}@${R} ||
exit 1
199 ${kadmin} add
-p foo
--use-defaults foo@
${R2} ||
exit 1
200 ${kadmin} add
-p foo
--use-defaults foo@
${R3} ||
exit 1
201 ${kadmin} add
-p foo
--use-defaults foo@
${R4} ||
exit 1
202 ${kadmin5} add
-p foo
--use-defaults foo@
${R5} ||
exit 1
203 ${kadmin} add
-p foo
--use-defaults foo@
${R6} ||
exit 1
204 ${kadmin} add
-p foo
--use-defaults foo@
${R7} ||
exit 1
205 ${kadmin} add
-p foo
--use-defaults foo@
${R8} ||
exit 1
206 ${kadmin} add
-p foo
--use-defaults foo@
${H1} ||
exit 1
207 ${kadmin} add -p foo --use-defaults foo/host.${h1}@${H1} ||
exit 1
208 ${kadmin} add
-p foo
--use-defaults foo@
${H2} ||
exit 1
209 ${kadmin} add -p foo --use-defaults foo/host.${h2}@${H2} ||
exit 1
210 ${kadmin} add
-p foo
--use-defaults foo@
${H3} ||
exit 1
211 ${kadmin} add -p foo --use-defaults foo/host.${h3}@${H3} ||
exit 1
212 ${kadmin} add
-p foo
--use-defaults foo@
${H4} ||
exit 1
213 ${kadmin} add -p foo --use-defaults foo/host.${h4}@${H4} ||
exit 1
214 ${kadmin} add
-p bar
--use-defaults bar@
${R} ||
exit 1
215 ${kadmin} add
-p foo
--use-defaults remove@
${R} ||
exit 1
216 ${kadmin} add -p nop --use-defaults ${server}@${R} ||
exit 1
217 ${kadmin} cpw -p bla --keepold ${server}@${R} ||
exit 1
218 ${kadmin} cpw -p kaka --keepold ${server}@${R} ||
exit 1
219 ${kadmin} add -p kaka --use-defaults ${server}-des3@${R} ||
exit 1
220 ${kadmin} add
-p kaka
--use-defaults kt-des3@
${R} ||
exit 1
221 ${kadmin} add
-p kaka
--use-defaults foo
/des3-only@
${R} ||
exit 1
222 ${kadmin} add
-p kaka
--use-defaults bar
/des3-only@
${R} ||
exit 1
223 ${kadmin} add
-p kaka
--use-defaults foo
/aes-only@
${R} ||
exit 1
225 ${kadmin} add
-p sens
--use-defaults --attributes=disallow-forwardable sensitive@
${R} ||
exit 1
226 ${kadmin} add
-p foo
--use-defaults ${ps} ||
exit 1
227 ${kadmin} modify
--attributes=+trusted-for-delegation
${ps} ||
exit 1
228 ${kadmin} modify --constrained-delegation=${server} ${ps} ||
exit 1
229 ${kadmin} ext -k ${keytab} ${server}@${R} ||
exit 1
230 ${kadmin} ext -k ${keytab} ${ps} ||
exit 1
232 # Note: rps is not trusted-for-delegation
233 ${kadmin} add
-p foo
--use-defaults ${rps} ||
exit 1
234 ${kadmin} modify --constrained-delegation=${server} ${rps} ||
exit 1
235 ${kadmin} ext -k ${keytab} ${rps} ||
exit 1
237 ${kadmin} add -p kaka --use-defaults ${server2}@${R2} ||
exit 1
238 ${kadmin} ext -k ${keytab} ${server2}@${R2} ||
exit 1
239 ${kadmin} add
-p foo
--use-defaults referral-placeholder@
${R5} ||
exit 1
240 ${kadmin} add_alias referral-placeholder@${R5} ${server3}@${R} ||
exit 1
241 ${kadmin5} add -p kaka --use-defaults ${server3}@${R5} ||
exit 1
242 ${kadmin5} ext -k ${keytab} ${server3}@${R5} ||
exit 1
243 ${kadmin} add -p kaka --use-defaults ${serverip}@${R} ||
exit 1
244 ${kadmin} ext -k ${keytab} ${serverip}@${R} ||
exit 1
245 ${kadmin} add -p kaka --use-defaults ${serveripname}@${R} ||
exit 1
246 ${kadmin} ext -k ${keytab} ${serveripname}@${R} ||
exit 1
247 ${kadmin} modify --alias=${serveripname2}@${R} ${serveripname}@${R}
248 ${kadmin} add
-p foo
--use-defaults remove2@
${R2} ||
exit 1
250 ${kadmin} add -p nopac --use-defaults ${server4}@${R2} ||
exit 1
251 ${kadmin} modify --attributes=+no-auth-data-reqd ${server4}@${R2} ||
exit 1
252 ${kadmin} ext -k ${keytab} ${server4}@${R2} ||
exit 1
254 ${kadmin} add -p kaka --use-defaults ${alias1}@${R} ||
exit 1
255 ${kadmin} ext -k ${keytab} ${alias1}@${R} ||
exit 1
256 ${kadmin} modify --alias=${alias2}@${R} ${alias1}@${R}
258 ${kadmin} add -p cross1 --use-defaults krbtgt/${R2}@${R} ||
exit 1
259 ${kadmin} add -p cross2 --use-defaults krbtgt/${R}@${R2} ||
exit 1
261 ${kadmin} add -p cross1 --use-defaults krbtgt/${R3}@${R2} ||
exit 1
262 ${kadmin} add -p cross2 --use-defaults krbtgt/${R2}@${R3} ||
exit 1
264 ${kadmin} add -p cross1 --use-defaults krbtgt/${R4}@${R2} ||
exit 1
265 ${kadmin} add -p cross2 --use-defaults krbtgt/${R2}@${R4} ||
exit 1
267 ${kadmin} add -p cross1 --use-defaults krbtgt/${R4}@${R3} ||
exit 1
268 ${kadmin} add -p cross2 --use-defaults krbtgt/${R3}@${R4} ||
exit 1
270 ${kadmin} add -p cross1 --use-defaults krbtgt/${R5}@${R} ||
exit 1
271 ${kadmin5} add -p cross2 --use-defaults krbtgt/${R}@${R5} ||
exit 1
273 ${kadmin5} add -p cross1 --use-defaults krbtgt/${R6}@${R5} ||
exit 1
274 ${kadmin} add -p cross2 --use-defaults krbtgt/${R5}@${R6} ||
exit 1
276 ${kadmin} add -p cross1 --use-defaults krbtgt/${R7}@${R6} ||
exit 1
277 ${kadmin} add -p cross2 --use-defaults krbtgt/${R6}@${R7} ||
exit 1
279 ${kadmin} add -p cross1 --use-defaults krbtgt/${R8}@${R6} ||
exit 1
280 ${kadmin} add -p cross2 --use-defaults krbtgt/${R6}@${R8} ||
exit 1
282 ${kadmin} add -p cross1 --use-defaults krbtgt/${H1}@${R} ||
exit 1
283 ${kadmin} add -p cross2 --use-defaults krbtgt/${R}@${H1} ||
exit 1
285 ${kadmin} add -p cross1 --use-defaults krbtgt/${H2}@${R} ||
exit 1
286 ${kadmin} add -p cross2 --use-defaults krbtgt/${R}@${H2} ||
exit 1
288 ${kadmin} add -p cross1 --use-defaults krbtgt/${H3}@${H2} ||
exit 1
289 ${kadmin} add -p cross2 --use-defaults krbtgt/${H2}@${H3} ||
exit 1
291 ${kadmin} add -p cross1 --use-defaults krbtgt/${H3}@${H4} ||
exit 1
292 ${kadmin} add -p cross2 --use-defaults krbtgt/${H4}@${H3} ||
exit 1
294 ${kadmin} add
-p foo
--use-defaults pw-expire@
${R} ||
exit 1
295 ${kadmin} modify
--pw-expiration-time=+1day pw-expire@
${R} ||
exit 1
297 ${kadmin} add
-p foo
--use-defaults pw-expired@
${R} ||
exit 1
298 ${kadmin} modify
--pw-expiration-time=2012-06-12 pw-expired@
${R} ||
exit 1
300 ${kadmin} add
-p foo
--use-defaults account-expired@
${R} ||
exit 1
301 ${kadmin} modify
--expiration-time=2012-06-12 account-expired@
${R} ||
exit 1
303 ${kadmin} add
-p foo
--use-defaults foo@
${RH} ||
exit 1
306 ${kadmin} add
-p foo
--use-defaults -- -p ||
exit 1
307 ${kadmin} delete
-- -p ||
exit 1
309 echo "Doing database check"
310 ${kadmin} check
${R} ||
exit 1
311 ${kadmin} check
${R2} ||
exit 1
312 ${kadmin} check
${R3} ||
exit 1
313 ${kadmin} check
${R4} ||
exit 1
314 ${kadmin5} check
${R5} ||
exit 1
315 ${kadmin} check
${R6} ||
exit 1
316 ${kadmin} check
${R7} ||
exit 1
317 ${kadmin} check
${R8} ||
exit 1
318 ${kadmin} check
${H1} ||
exit 1
319 ${kadmin} check
${H2} ||
exit 1
320 ${kadmin} check
${H3} ||
exit 1
321 ${kadmin} check
${H4} ||
exit 1
323 echo "Extracting enctypes"
324 ${ktutil} -k ${keytab} list
> tempfile ||
exit 1
325 ${EGREP} -v '^FILE:' tempfile | ${EGREP} -v '^Vno' | ${EGREP} -v '^$' | \
326 ${EGREP} -v "$server" |
# we did cpw for this one
327 awk '$1 !~ /1/ { exit 1 }' ||
exit 1
328 ${EGREP} -v '^FILE:' tempfile | ${EGREP} -v '^Vno' | ${EGREP} -v '^$' | \
329 ${EGREP} "$server" |
head -1 |
330 awk '$1 !~ /3/ { exit 1 }' ||
exit 1
333 ${kadmin} get foo@
${R} > tempfile ||
exit 1
334 enctypes
=`grep Keytypes: tempfile | sed 's/(pw-salt)//g' | sed 's/,//g' | sed 's/Keytypes://' | sed 's/\[[0-9]*\]//g'`
336 enctype_sans_aes
=`echo $enctypes | sed 's/aes[^ ]*//g'`
337 enctype_sans_des3
=`echo $enctypes | sed 's/des3-cbc-sha1//g'`
339 echo "deleting all but des enctypes on kt-des3 in keytab"
340 ${kadmin} ext -k ${keytab} kt-des3@${R} ||
exit 1
341 for a
in ${enctype_sans_des3} ; do
342 ${ktutil} -k ${keytab} remove -p kt-des3@${R} -e $a
345 echo "checking globbing keys rules"
346 ${kadmin} get foo
/des3-only@
${R} > tempfile ||
exit 1
347 enctypes
=`grep Keytypes: tempfile | sed 's/(pw-salt)//g' | sed 's/,//g' | sed 's/Keytypes://' | sed 's/\[[0-9]*\]//g' | sed 's/ //g'`
348 if [ X
"$enctypes" != Xdes3-cbc-sha1
] ; then
349 echo "des3 only is not only des3: $enctypes"
353 ${kadmin} get foo
/aes-only@
${R} > tempfile ||
exit 1
354 enctypes
=`grep Keytypes: tempfile | sed 's/(pw-salt)//g' | sed 's/,//g' | sed 's/Keytypes://' | sed 's/\[[0-9]*\]//g' | sed 's/ //g'`
355 if [ X
"$enctypes" != Xaes256-cts-hmac-sha1-96
] ; then
356 echo "aes only is not only aes: $enctypes"
361 echo foo
> ${objdir}/foopassword
362 echo notfoo
> ${objdir}/notfoopassword
364 echo Starting kdc
; > messages.log
365 env MallocStackLogging
=1 MallocStackLoggingNoCompact
=1 MallocErrorAbort
=1 MallocLogFile
=${objdir}/malloc-log \
366 ${kdc} --detach --testing ||
367 { echo "kdc failed to start"; exit 1; }
370 echo Starting kpasswdd
; > messages.log
371 env
${HEIM_MALLOC_DEBUG} ${kpasswdd} --detach ||
372 { echo "kpasswdd failed to start"; exit 1; }
373 kpasswddpid
=`getpid kpasswdd`
376 trap "kill -9 ${kdcpid} ${kpasswddpid}; echo signal killing kdc kpasswdd; exit 1;" EXIT
380 echo "Getting client initial tickets with wrong password"; > messages.log
381 ${kadmin} modify
--attributes=+disallow-client
${server} ||
exit 1
382 ${kinit} --password-file=${objdir}/notfoopassword \
383 foo@
${R} 2>kinit-log.tmp
&& \
384 { ec
=1 ; eval "${testfailed}"; }
385 grep 'Password incorrect' kinit-log.tmp
> /dev
/null || \
386 { ec
=1 ; eval "${testfailed}"; }
387 echo "Getting client initial tickets"; > messages.log
388 ${kinit} --password-file=${objdir}/foopassword foo@
$R || \
389 { ec
=1 ; eval "${testfailed}"; }
390 echo "Doing krbtgt key rollover"; > messages.log
391 ${kadmin} cpw -r --keepold krbtgt/${R}@${R} ||
exit 1
392 echo "Getting tickets"; > messages.log
393 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
394 echo "Listing tickets"; > messages.log
395 ${klist} > /dev/null || { ec=1 ; eval "${testfailed}"; }
396 ${test_ap_req} ${server}@${R} ${keytab} ${cache} || \
397 { ec
=1 ; eval "${testfailed}"; }
400 echo "Getting client initial tickets (http transport)"; > messages.log
401 ${kinit} --password-file=${objdir}/foopassword foo@${RH} || \
402 { ec
=1 ; eval "${testfailed}"; }
405 echo "Testing capaths logic"
406 ${kinit} --password-file=${objdir}/foopassword \
407 -e ${aesenctype} -e ${aesenctype} \
409 { ec
=1 ; eval "${testfailed}"; }
411 echo "Getting x-realm tickets with capaths for $R -> $R2"
412 ${kgetcred} foo@${R2} || { ec=1 ; eval "${testfailed}"; }
413 echo "Getting x-realm tickets with capaths for $R -> $R3"
414 ${kgetcred} foo@${R3} || { ec=1 ; eval "${testfailed}"; }
415 echo "Getting x-realm tickets with capaths for $R -> $R4"
416 ${kgetcred} foo@${R4} || { ec=1 ; eval "${testfailed}"; }
417 echo "Getting x-realm tickets with capaths for $R -> $R5"
418 ${kgetcred} foo@${R5} || { ec=1 ; eval "${testfailed}"; }
419 echo "Getting x-realm tickets with capaths for $R -> $R6"
420 ${kgetcred} foo@${R6} || { ec=1 ; eval "${testfailed}"; }
421 echo "Getting x-realm tickets with capaths for $R -> $R7"
422 ${kgetcred} foo@${R7} || { ec=1 ; eval "${testfailed}"; }
423 echo "Should not get x-realm tickets with capaths for $R -> $R8"
424 ${kgetcred} foo@${R8} && { ec=1 ; eval "${testfailed}"; }
427 echo "Testing capaths logic (reverse order)"
428 ${kinit} --password-file=${objdir}/foopassword \
429 -e ${aesenctype} -e ${aesenctype} \
431 { ec
=1 ; eval "${testfailed}"; }
433 echo "Getting x-realm tickets with capaths for $R -> $R4"
434 ${kgetcred} foo@${R4} || { ec=1 ; eval "${testfailed}"; }
435 echo "Getting x-realm tickets with capaths for $R -> $R3"
436 ${kgetcred} foo@${R3} || { ec=1 ; eval "${testfailed}"; }
437 echo "Getting x-realm tickets with capaths for $R -> $R2"
438 ${kgetcred} foo@${R2} || { ec=1 ; eval "${testfailed}"; }
439 echo "Getting x-realm tickets with capaths for $R -> $R7"
440 ${kgetcred} foo@${R7} || { ec=1 ; eval "${testfailed}"; }
441 echo "Getting x-realm tickets with capaths for $R -> $R6"
442 ${kgetcred} foo@${R6} || { ec=1 ; eval "${testfailed}"; }
443 echo "Getting x-realm tickets with capaths for $R -> $R5"
444 ${kgetcred} foo@${R5} || { ec=1 ; eval "${testfailed}"; }
445 echo "Testing HDB referral entry"
446 ${kgetcred} --canonicalize ${server3}@${R} || { ec=1 ; eval "${testfailed}"; }
450 echo "Testing hierarchical referral logic"
451 ${kinit} --password-file=${objdir}/foopassword \
452 -e ${aesenctype} -e ${aesenctype} \
454 { ec
=1 ; eval "${testfailed}"; }
456 echo "Getting x-realm tickets with HDB referral alias for $R1 -> $R3"
457 ${kgetcred} --hostbased --canonicalize foo host.${h1} || { ec=1 ; eval "${testfailed}"; }
458 echo "Getting x-realm tickets with hierarchical referrals for $H3 -> $H1"
459 ${kgetcred} --hostbased --canonicalize foo host.${h1} || { ec=1 ; eval "${testfailed}"; }
460 fgrep
"cross-realm ${H3} -> ${H1} via [${H2}, ${R}]" messages.log > /dev/null || { ec=1 ; eval "${testfailed}"; }
461 echo "Getting x-realm tickets with hierarchical referrals
for $H3 -> $R"
462 ${kgetcred} --hostbased --canonicalize foo host.${r} || { ec=1 ; eval "${testfailed}"; }
463 fgrep "cross-realm
${H3} -> ${R} via [${H2}]" messages.log > /dev/null || { ec=1 ; eval "${testfailed}"; }
464 echo "Getting x-realm tickets with hierarchical referrals for $H3 -> $H2"
465 ${kgetcred} --hostbased --canonicalize foo host.${h2} || { ec=1 ; eval "${testfailed}"; }
466 fgrep
"cross-realm ${H3} -> ${H2}" messages.log > /dev/null || { ec=1 ; eval "${testfailed}"; }
469 echo "Testing multi-hop
[capaths
] referral logic
"
470 ${kinit} --password-file=${objdir}/foopassword \
471 -e ${aesenctype} -e ${aesenctype} \
473 { ec=1 ; eval "${testfailed}"; }
475 echo "Getting x-realm tickets with
[capaths
] referrals
for $H4 -> $H1"
476 ${kgetcred} --hostbased --canonicalize foo/host.${h1}@${H4} || { ec=1 ; eval "${testfailed}"; }
479 echo "Testing forwardable
/renewable flag copying
in TGS-REQ
"
480 ${kinit} -f --renewable -r 5d --password-file=${objdir}/foopassword foo@$R || \
481 { ec=1 ; eval "${testfailed}"; }
482 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
483 ${klist} -f | grep ${server} | grep FRA > /dev/null || \
484 { ec=1 ; eval "${testfailed}"; }
486 echo "Testing strip of forwardable when the server is disallowed
in TGS-REQ
"
487 ${kgetcred} sensitive@${R} || { ec=1 ; eval "${testfailed}"; }
488 ${klist} -f | grep sensitive | grep FRA > /dev/null && \
489 { ec=1 ; eval "${testfailed}"; }
491 echo "Specific enctype
"; > messages.log
492 ${kinit} --password-file=${objdir}/foopassword \
493 -e ${aesenctype} -e ${aesenctype} \
495 { ec=1 ; eval "${testfailed}"; }
497 for a in $enctypes; do
498 echo "Getting client initial tickets
($a)"; > messages.log
499 ${kinit} --enctype=$a --password-file=${objdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; }
500 echo "Getting tickets
"; > messages.log
501 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
502 ${test_ap_req} ${server}@${R} ${keytab} ${cache} || { ec=1 ; eval "${testfailed}"; }
507 echo "Getting client initial tickets
"; > messages.log
508 ${kinit} --password-file=${objdir}/foopassword foo@$R || \
509 { ec=1 ; eval "${testfailed}"; }
510 for a in $enctypes; do
511 echo "Getting tickets
($a)"; > messages.log
512 ${kgetcred} -e $a ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
513 ${test_ap_req} ${server}@${R} ${keytab} ${cache} || \
514 { ec=1 ; eval "${testfailed}"; }
515 ${kdestroy} --credential=${server}@${R}
519 echo "Getting client initial tickets without PAC
"; > messages.log
520 ${kinit} --no-request-pac --password-file=${objdir}/foopassword foo@$R || \
521 { ec=1 ; eval "${testfailed}"; }
522 for a in $enctypes; do
523 echo "Getting tickets
($a)"; > messages.log
524 ${kgetcred} -e $a ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
525 ${test_ap_req} ${server}@${R} ${keytab} ${cache} && \
526 { ec=1 ; eval "${testfailed}"; }
527 ${test_ap_req} --no-verify-pac ${server}@${R} ${keytab} ${cache} || \
528 { ec=1 ; eval "${testfailed}"; }
529 ${kdestroy} --credential=${server}@${R}
533 echo "Getting client initial tickets with PAC
"; > messages.log
534 ${kinit} --request-pac --password-file=${objdir}/foopassword foo@$R || \
535 { ec=1 ; eval "${testfailed}"; }
536 for a in $enctypes; do
537 echo "Getting tickets
for PAC-less service principal
($a)"; > messages.log
538 ${kgetcred} -e $a ${server4}@${R2} || { ec=1 ; eval "${testfailed}"; }
539 ${test_ap_req} --verify-pac ${server4}@${R2} ${keytab} ${cache} && \
540 { ec=1 ; eval "${testfailed}"; }
541 ${test_ap_req} --no-verify-pac ${server4}@${R2} ${keytab} ${cache} || \
542 { ec=1 ; eval "${testfailed}"; }
543 ${kdestroy} --credential=${server4}@${R2}
547 echo "Getting client authenticated anonymous initial tickets
"; > messages.log
548 ${kinit} -n --password-file=${objdir}/foopassword foo@$R || \
549 { ec=1 ; eval "${testfailed}"; }
550 for a in $enctypes; do
551 echo "Getting tickets
($a)"; > messages.log
552 ${kgetcred} -e $a ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
553 ${test_ap_req} --no-verify-pac ${server}@${R} ${keytab} ${cache} || \
554 { ec=1 ; eval "${testfailed}"; }
555 ${kdestroy} --credential=${server}@${R}
559 echo "Getting client anonymous service tickets
"; > messages.log
560 ${kinit} --password-file=${objdir}/foopassword foo@$R || \
561 { ec=1 ; eval "${testfailed}"; }
562 for a in $enctypes; do
563 echo "Getting tickets
($a)"; > messages.log
564 ${kgetcred} -n -e $a ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
565 ${test_ap_req} ${server}@${R} ${keytab} ${cache} || \
566 { ec=1 ; eval "${testfailed}"; }
567 ${kdestroy} --credential=${server}@${R}
571 echo "Getting client initial tickets
for cross realm
case"; > messages.log
572 ${kinit} --password-file=${objdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; }
573 for a in $enctypes; do
574 echo "Getting cross realm tickets
($a)"; > messages.log
575 ${kgetcred} -e $a ${server2}@${R2} || { ec=1 ; eval "${testfailed}"; }
576 echo " checking we we got back right ticket
"
577 ${klist} | grep ${server2}@ > /dev/null || { ec=1 ; eval "${testfailed}"; }
578 echo " checking
if ticket is useful
"
579 ${test_ap_req} ${server2}@${R2} ${keytab} ${cache} || \
580 { ec=1 ; eval "${testfailed}"; }
581 ${kdestroy} --credential=${server2}@${R2}
585 echo "Trying x-realm TGT with kvno
0 case";
586 ${kinit} --password-file=${objdir}/foopassword foo@$R ||
587 { ec=1 ; eval "${testfailed}"; }
588 ${test_set_kvno0} || { ec=1 ; eval "${testfailed}"; }
589 echo "Getting cross realm tickets
"; > messages.log
590 ${kgetcred} krbtgt/${R2}@${R} || { ec=1 ; eval "${testfailed}"; }
591 ${test_set_kvno0} || { ec=1 ; eval "${testfailed}"; }
592 echo "Getting service ticket
"; > messages.log
593 ${kgetcred} ${server2}@${R2} || { ec=1 ; eval "${testfailed}"; }
596 echo "Trying x-realm TGT with kvno
0 case with key rollover
";
597 ${kinit} --password-file=${objdir}/foopassword foo@$R ||
598 { ec=1 ; eval "${testfailed}"; }
599 ${test_set_kvno0} || { ec=1 ; eval "${testfailed}"; }
600 echo "Getting cross realm tickets
"; > messages.log
601 ${kgetcred} krbtgt/${R2}@${R} || { ec=1 ; eval "${testfailed}"; }
602 echo "Rolling over cross realm keys
"; > messages.log
603 ${kadmin} cpw -r --keepold krbtgt/${R}@${R} || { ec=1 ; eval "${testfailed}"; }
604 ${kadmin} cpw -r --keepold krbtgt/${R2}@${R} || { ec=1 ; eval "${testfailed}"; }
605 ${kadmin} cpw -r --keepold krbtgt/${R}@${R2} || { ec=1 ; eval "${testfailed}"; }
606 ${test_set_kvno0} || { ec=1 ; eval "${testfailed}"; }
607 echo "Getting service ticket
"; > messages.log
608 echo "Start tracing kdc
, then hit
return"
609 ${kgetcred} ${server2}@${R2} || { ec=1 ; eval "${testfailed}"; }
612 echo "Trying x-realm TGT with no kvno
case";
613 ${kinit} --password-file=${objdir}/foopassword foo@$R ||
614 { ec=1 ; eval "${testfailed}"; }
615 ${test_set_kvno0} -n || { ec=1 ; eval "${testfailed}"; }
616 echo "Getting cross realm tickets
"; > messages.log
617 ${kgetcred} krbtgt/${R2}@${R} || { ec=1 ; eval "${testfailed}"; }
618 ${test_set_kvno0} -n || { ec=1 ; eval "${testfailed}"; }
619 echo "Getting service ticket
"; > messages.log
620 ${kgetcred} ${server2}@${R2} || { ec=1 ; eval "${testfailed}"; }
623 echo "Trying x-realm TGT with no kvno
case with key rollover
";
624 ${kinit} --password-file=${objdir}/foopassword foo@$R ||
625 { ec=1 ; eval "${testfailed}"; }
626 ${test_set_kvno0} -n || { ec=1 ; eval "${testfailed}"; }
627 echo "Getting cross realm tickets
"; > messages.log
628 ${kgetcred} krbtgt/${R2}@${R} || { ec=1 ; eval "${testfailed}"; }
629 echo "Rolling over cross realm keys
"; > messages.log
630 ${kadmin} cpw -r --keepold krbtgt/${R}@${R} || { ec=1 ; eval "${testfailed}"; }
631 ${kadmin} cpw -r --keepold krbtgt/${R2}@${R} || { ec=1 ; eval "${testfailed}"; }
632 ${kadmin} cpw -r --keepold krbtgt/${R}@${R2} || { ec=1 ; eval "${testfailed}"; }
633 ${test_set_kvno0} -n || { ec=1 ; eval "${testfailed}"; }
634 echo "Getting service ticket
"; > messages.log
635 echo "Start tracing kdc
, then hit
return"
636 ${kgetcred} ${server2}@${R2} || { ec=1 ; eval "${testfailed}"; }
639 echo "try all permutations
"; > messages.log
640 for a in $enctypes; do
641 echo "Getting client initial tickets
($a)"; > messages.log
642 ${kinit} --enctype=$a --password-file=${objdir}/foopassword foo@$R || \
643 { ec=1 ; eval "${testfailed}"; }
644 for b in $enctypes; do
645 echo "Getting tickets
($a -> $b)"; > messages.log
646 ${kgetcred} -e $b ${server}@${R} || \
647 { ec=1 ; eval "${testfailed}"; }
648 ${test_ap_req} ${server}@${R} ${keytab} ${cache} || \
649 { ec=1 ; eval "${testfailed}"; }
650 ${kdestroy} --credential=${server}@${R}
655 echo "Getting client initial tickets ip based name
"; > messages.log
656 ${kinit} --password-file=${objdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; }
657 echo "Getting ip based name tickets
"; > messages.log
658 ${kgetcred} ${serverip}@${R} || { ec=1 ; eval "${testfailed}"; }
659 echo " checking we we got back right ticket
"
660 ${klist} | grep ${serverip}@ > /dev/null || { ec=1 ; eval "${testfailed}"; }
661 echo " checking
if ticket is useful
"
662 ${test_ap_req} ${serverip}@${R} ${keytab} ${cache} || \
663 { ec=1 ; eval "${testfailed}"; }
666 echo "Getting client initial tickets ip based name
(alias)"; > messages.log
667 ${kinit} --password-file=${objdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; }
668 for a in ${serveripname} ${serveripname2} ; do
669 echo "Getting ip based name tickets
(alias) $a"; > messages.log
670 ${kgetcred} ${a}@${R} || { ec=1 ; eval "${testfailed}"; }
671 echo " checking we we got back right ticket
"
672 ${klist} | grep ${a}@ > /dev/null || { ec=1 ; eval "${testfailed}"; }
673 echo " checking
if ticket is useful
"
674 ${test_ap_req} --server-any ${a}@${R} ${keytab} ${cache} || \
675 { ec=1 ; eval "${testfailed}"; }
679 echo "Getting server initial tickets
"; > messages.log
680 ${kinit} --keytab=${keytab} ${server}@$R && { ec=1 ; eval "${testfailed}"; }
681 ${kadmin} modify --attributes=-disallow-client ${server} || exit 1
682 ${kinit} --keytab=${keytab} ${server}@$R || { ec=1 ; eval "${testfailed}"; }
683 echo "Listing tickets
"; > messages.log
684 ${klist} | grep "Principal
: ${server}" > /dev/null || \
685 { ec=1 ; eval "${testfailed}"; }
688 echo "Getting key
for key that are a subset
in keytab compared to kdb
"
689 ${kinit} --keytab=${keytab} kt-des3@${R}
690 ${klist} | grep "Principal
: kt-des3
" > /dev/null || \
691 { ec=1 ; eval "${testfailed}"; }
694 echo "initial tickets
for deleted user
test case"; > messages.log
695 ${kinit} --password-file=${objdir}/foopassword remove@$R || \
696 { ec=1 ; eval "${testfailed}"; }
697 ${kadmin} delete remove@${R} || { ec=1 ; eval "${testfailed}"; }
698 echo "try getting ticket with deleted user
"; > messages.log
699 ${kgetcred} ${server}@${R} 2> /dev/null && { ec=1 ; eval "${testfailed}"; }
702 echo "cross realm
case (deleted user
)"; > messages.log
703 ${kinit} --password-file=${objdir}/foopassword remove2@$R2 || \
704 { ec=1 ; eval "${testfailed}"; }
705 ${kgetcred} krbtgt/${R}@${R2} 2> /dev/null || \
706 { ec=1 ; eval "${testfailed}"; }
707 ${kadmin} delete remove2@${R2} || exit 1
708 ${kgetcred} ${server}@${R} 2> /dev/null || \
709 { ec=1 ; eval "${testfailed}"; }
712 echo "rename user
"; > messages.log
713 ${kadmin} add -p foo --use-defaults rename@${R} || exit 1
714 ${kinit} --password-file=${objdir}/foopassword rename@${R} || \
715 { ec=1 ; eval "${testfailed}"; }
716 ${kadmin} rename rename@${R} rename2@${R} || exit 1
717 ${kinit} --password-file=${objdir}/foopassword rename2@${R} || \
718 { ec=1 ; eval "${testfailed}"; }
720 ${kadmin} delete rename2@${R} || exit 1
722 echo "rename user to another realm
"; > messages.log
723 ${kadmin} add -p foo --use-defaults rename@${R} || exit 1
724 ${kinit} --password-file=${objdir}/foopassword rename@${R} || \
725 { ec=1 ; eval "${testfailed}"; }
726 ${kadmin} rename rename@${R} rename@${R2} || exit 1
727 ${kinit} --password-file=${objdir}/foopassword rename@${R2} || \
728 { ec=1 ; eval "${testfailed}"; }
730 ${kadmin} delete rename@${R2} || exit 1
732 echo deleting all but aes enctypes on krbtgt
733 ${kadmin} del_enctype krbtgt/${R}@${R} ${enctype_sans_aes} || exit 1
735 echo deleting all but des enctypes on server-des3
736 ${kadmin} del_enctype ${server}-des3@${R} ${enctype_sans_des3} || exit 1
737 ${kadmin} ext -k ${keytab} ${server}-des3@${R} || exit 1
739 echo "try all permutations
(only aes
)"; > messages.log
740 for a in $enctypes; do
741 echo "Getting client initial tickets
($a)"; > messages.log
742 ${kinit} --enctype=$a --password-file=${objdir}/foopassword foo@${R} ||\
743 { ec=1 ; eval "${testfailed}"; }
744 for b in $enctypes; do
745 echo "Getting tickets
($a -> $b)"; > messages.log
746 ${kgetcred} -e $b ${server}@${R} || \
747 { ec=1 ; eval "${testfailed}"; }
748 ${test_ap_req} ${server}@${R} ${keytab} ${cache} || \
749 { ec=1 ; eval "${testfailed}"; }
751 echo "Getting tickets
($a -> $b) (server des3 only
)"; > messages.log
752 ${kgetcred} ${server}-des3@${R} || \
753 { ec=1 ; eval "${testfailed}"; }
754 ${test_ap_req} ${server}-des3@${R} ${keytab} ${cache} || \
755 { ec=1 ; eval "${testfailed}"; }
757 ${kdestroy} --credential=${server}@${R}
758 ${kdestroy} --credential=${server}-des3@${R}
763 echo deleting all enctypes on krbtgt
764 ${kadmin} del_enctype krbtgt/${R}@${R} aes256-cts-hmac-sha1-96 || \
765 { ec=1 ; eval "${testfailed}"; }
766 echo "try initial ticket w
/o and keys on krbtgt
"
767 ${kinit} --password-file=${objdir}/foopassword foo@${R} 2>/dev/null && \
768 { ec=1 ; eval "${testfailed}"; }
769 echo "adding random aes key
"
770 ${kadmin} add_enctype -r krbtgt/${R}@${R} aes256-cts-hmac-sha1-96 || \
771 { ec=1 ; eval "${testfailed}"; }
772 echo "try initial ticket with random aes key on krbtgt
"
773 ${kinit} --password-file=${objdir}/foopassword foo@${R} || \
774 { ec=1 ; eval "${testfailed}"; }
780 if ${hxtool} info | grep 'rsa: hx509 null RSA' > /dev/null ; then
783 if ${hxtool} info | grep 'rand: not available' > /dev/null ; then
786 if ${kinit} --help 2>&1 | grep "CA certificates
" > /dev/null; then
790 if ${hxtool} info | grep 'ecdsa: hcrypto null' > /dev/null ; then
795 # If we support pkinit and have RSA, lets try that
796 if test "$pkinit" = yes -a "$rsa" = yes ; then
798 echo "try anonymous pkinit
"; > messages.log
799 ${kinit} --renewable -n @${R} || \
800 { ec=1 ; eval "${testfailed}"; }
801 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
802 ${kinit} --renew || { ec=1 ; eval "${testfailed}"; }
805 for type in "" "--pk-use-enckey"; do
806 echo "Trying pk-init
(principal
in certificate
) $type"; > messages.log
807 ${kinit} $type -C FILE:${hx509_data}/pkinit.crt,${hx509_data}/pkinit.key bar@${R} || \
808 { ec=1 ; eval "${testfailed}"; }
809 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
812 echo "Trying pk-init
(principal
in pki-mapping
) $type"; > messages.log
813 ${kinit} $type -C FILE:${hx509_data}/pkinit.crt,${hx509_data}/pkinit.key foo@${R} || \
814 { ec=1 ; eval "${testfailed}"; }
815 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
818 echo "Trying pk-init
(password protected key
) $type"; > messages.log
819 ${kinit} $type -C FILE:${hx509_data}/pkinit.crt,${hx509_data}/pkinit-pw.key --password-file=${objdir}/foopassword foo@${R} || \
820 { ec=1 ; eval "${testfailed}"; }
821 ${kgetcred} ${server}@${R} || \
822 { ec=1 ; eval "${testfailed}"; }
825 echo "Trying pk-init
(proxy cert
) $type"; > messages.log
826 ${kinit} $type -C FILE:${hx509_data}/pkinit-proxy-chain.crt,${hx509_data}/pkinit-proxy.key foo@${R} || \
827 { ec=1 ; eval "${testfailed}"; }
828 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
833 if test "$ecdsa" = yes > /dev/null ; then
834 echo "Trying pk-init
(ec certificate
)"
836 ${kinit} -C FILE:${hx509_data}/pkinit-ec.crt,${hx509_data}/pkinit-ec.key bar@${R} || \
837 { ec=1 ; eval "${testfailed}"; }
838 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
840 grep 'PKINIT using ecdh' messages.log > /dev/null || \
841 { ec=1 ; eval "${testfailed}"; }
845 echo "no pkinit
(pkinit
: $pkinit, rsa
: $rsa)"; > messages.log
848 echo "test impersonate using rc4 based tgt
"; > messages.log
849 ${kinit} -e arcfour-hmac-md5 --forwardable --password-file=${objdir}/foopassword ${ps} || \
850 { ec=1 ; eval "${testfailed}"; }
851 ${kgetcred_imp} --impersonate=bar@${R} ${ps} || \
852 { ec=1 ; eval "${testfailed}"; }
853 ${test_ap_req} ${ps} ${keytab} ${ocache} || \
854 { ec=1 ; eval "${testfailed}"; }
856 echo "tickets
for impersonate
test case"; > messages.log
857 ${kinit} --forwardable --password-file=${objdir}/foopassword ${ps} || \
858 { ec=1 ; eval "${testfailed}"; }
859 ${kgetcred_imp} --impersonate=bar@${R} ${ps} || \
860 { ec=1 ; eval "${testfailed}"; }
861 ${test_ap_req} ${ps} ${keytab} ${ocache} || \
862 { ec=1 ; eval "${testfailed}"; }
863 echo " negative check
"
864 ${kgetcred_imp} --impersonate=bar@${R} foo@${R} 2>/dev/null && \
865 { ec=1 ; eval "${testfailed}"; }
867 echo "test impersonate unknown client
"; > messages.log
868 ${kgetcred_imp} --forward --impersonate=unknown@${R} ${ps} && \
869 { ec=1 ; eval "${testfailed}"; }
871 echo "test impersonate account-expired client
"; > messages.log
872 ${kgetcred_imp} --forward --impersonate=account-expired@${R} ${ps} && \
873 { ec=1 ; eval "${testfailed}"; }
875 echo "test impersonate pw-expired client
"; > messages.log
876 ${kgetcred_imp} --forward --impersonate=pw-expired@${R} ${ps} || \
877 { ec=1 ; eval "${testfailed}"; }
879 echo "test delegate sensitive client
"; > messages.log
880 ${kgetcred_imp} --forward --impersonate=sensitive@${R} ${ps} || \
881 { ec=1 ; eval "${testfailed}"; }
883 --out-cache=${o2cache} \
884 --delegation-credential-cache=${ocache} \
886 { ec=1 ; eval "${testfailed}"; }
888 echo "test constrained delegation
(evidence from impersonation
)"; > messages.log
889 ${kgetcred_imp} --forward --impersonate=bar@${R} ${ps} || \
890 { ec=1 ; eval "${testfailed}"; }
892 --out-cache=${o2cache} \
893 --delegation-credential-cache=${ocache} \
895 { ec=1 ; eval "${testfailed}"; }
896 echo " try using the credential
"
897 ${test_ap_req} ${server}@${R} ${keytab} ${o2cache} || \
898 { ec=1 ; eval "${testfailed}"; }
899 echo " negative check
"
901 --out-cache=${o2cache} \
902 --delegation-credential-cache=${ocache} \
903 bar@${R} 2>/dev/null && \
904 { ec=1 ; eval "${testfailed}"; }
906 echo "test constrained delegation evidence
(evidence from TGS
)"; > messages.log
907 echo bar > ${objdir}/barpassword
908 ${kinit} --cache=${icache} --forwardable --password-file=${objdir}/barpassword bar@${R} || \
909 { ec=1 ; eval "${testfailed}"; }
910 ${kgetcred} --cache=${icache} --out-cache=${ocache} ${ps} || \
911 { ec=1 ; eval "${testfailed}"; }
912 # Bug #816 have a regular ticket in ${cache} for ${server} see that it isn't used
913 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
915 --out-cache=${o2cache} \
916 --delegation-credential-cache=${ocache} \
918 { ec=1 ; eval "${testfailed}"; }
919 ${klist2} | grep "Principal: bar@${R}" || { ec=1 ; eval "${testfailed}"; }
920 echo " try using the credential
"
921 ${test_ap_req} ${server}@${R} ${keytab} ${o2cache} || \
922 { ec=1 ; eval "${testfailed}"; }
923 echo " negative check
"
925 --out-cache=${o2cache} \
926 --delegation-credential-cache=${ocache} \
927 bar@${R} 2>/dev/null && \
928 { ec=1 ; eval "${testfailed}"; }
930 echo "test constrained delegation with foreign client
(evidence from TGS
)"; > messages.log
931 # We can't test foreign client with evidence from S4U2Self, since Heimdal doesn't support it yet
933 ${kinit} --cache=${icache} --forwardable --password-file=${objdir}/foopassword foo@${R2} || \
934 { ec=1 ; eval "${testfailed}"; }
935 ${kgetcred} --cache=${icache} --out-cache=${ocache} ${ps} || \
936 { ec=1 ; eval "${testfailed}"; }
938 --out-cache=${o2cache} \
939 --delegation-credential-cache=${ocache} \
941 { ec=1 ; eval "${testfailed}"; }
942 ${klist2} | grep "Principal: foo@${R2}" || { ec=1 ; eval "${testfailed}"; }
943 echo " try using the credential
"
944 ${test_ap_req} ${server}@${R} ${keytab} ${o2cache} || \
945 { ec=1 ; eval "${testfailed}"; }
947 echo "test constrained delegation impersonation
(non forward
)"; > messages.log
949 ${kimpersonate} -s ${ps} -c bar@${R} -t ${aesenctype} || \
950 { ec=1 ; eval "${testfailed}"; }
951 ${kgetcred} --out-cache=${o2cache} --delegation-credential-cache=${ocache} ${server}@${R} > /dev/null 2>/dev/null && \
952 { ec=1 ; eval "${testfailed}"; }
954 echo "test constrained delegation evidence
(evidence from AS
)"; > messages.log
955 # This fails because we don't add PAC ticket-signature in AS-REP (as Windows).
956 ${kinit} --cache=${ocache} --password-file=${objdir}/barpassword \
957 --forwardable --server=${ps} bar@${R} || \
958 { ec=1 ; eval "${testfailed}"; }
959 ${kgetcred} --delegation-credential-cache=${ocache} ${server}@${R} && \
960 { ec=1 ; eval "${testfailed}"; }
962 echo "test constrained delegation impersonation
(missing PAC
)"; > messages.log
964 ${kimpersonate} -s ${ps} -c bar@${R} -t ${aesenctype} -f forwardable || \
965 { ec=1 ; eval "${testfailed}"; }
966 ${kgetcred} --out-cache=${o2cache} --delegation-credential-cache=${ocache} ${server}@${R} > /dev/null 2>/dev/null && \
967 { ec=1 ; eval "${testfailed}"; }
971 echo "test constrained delegation NOT trusted-for-delegation
(evidence from TGS
)"; > messages.log
973 ${kinit} --forwardable --password-file=${objdir}/foopassword ${rps} || \
974 { ec=1 ; eval "${testfailed}"; }
975 ${kinit} --cache=${icache} --forwardable --password-file=${objdir}/barpassword bar@${R} || \
976 { ec=1 ; eval "${testfailed}"; }
977 ${kgetcred} --cache=${icache} --out-cache=${ocache} ${rps} || \
978 { ec=1 ; eval "${testfailed}"; }
980 --out-cache=${o2cache} \
981 --delegation-credential-cache=${ocache} \
983 { ec=1 ; eval "${testfailed}"; }
984 ${klist2} | grep "Principal: bar@${R}" || { ec=1 ; eval "${testfailed}"; }
985 ${test_ap_req} ${server}@${R} ${keytab} ${o2cache} || \
986 { ec=1 ; eval "${testfailed}"; }
988 echo "test constrained delegation NOT trusted-for-delegation
(evidence from impersonate
, negative
)"; > messages.log
990 ${kgetcred_imp} --impersonate=bar@${R} ${rps} || \
991 { ec=1 ; eval "${testfailed}"; }
992 ${test_ap_req} ${rps} ${keytab} ${ocache} || \
993 { ec=1 ; eval "${testfailed}"; }
995 --out-cache=${o2cache} \
996 --delegation-credential-cache=${ocache} \
998 { ec=1 ; eval "${testfailed}"; }
1000 echo "test constrained delegation bronze-bit attack
, aka CVE-2020-17049
"; > messages.log
1002 KRB5CCNAME=${ocache} KRB5_KTNAME=${keytab} ${test_mkforwardable} ${rps} ${icache} || \
1003 { ec=1 ; eval "${testfailed}"; }
1006 --out-cache=${o2cache} \
1007 --delegation-credential-cache=${icache} \
1009 { ec=1 ; eval "${testfailed}"; }
1012 echo "check renewing
" > messages.log
1013 ${kinit} --renewable --password-file=${objdir}/foopassword foo@$R || \
1014 { ec=1 ; eval "${testfailed}"; }
1017 { ec=1 ; eval "${testfailed}"; }
1018 echo "check renewing MIT interface
" > messages.log
1019 ${kinit} --renewable --password-file=${objdir}/foopassword foo@$R || \
1020 { ec=1 ; eval "${testfailed}"; }
1022 env KRB5CCNAME=${cache} ${test_renew} || \
1023 { ec=1 ; eval "${testfailed}"; }
1026 echo "checking server aliases
"; > messages.log
1027 ${kinit} --password-file=${objdir}/foopassword foo@$R || \
1028 { ec=1 ; eval "${testfailed}"; }
1029 echo "Getting tickets
"; > messages.log
1030 ${kgetcred} ${alias1}@${R} || { ec=1 ; eval "${testfailed}"; }
1031 ${kgetcred} ${alias2}@${R} || { ec=1 ; eval "${testfailed}"; }
1032 echo " verify entry
in keytab
"
1033 ${test_ap_req} ${alias1}@${R} ${keytab} ${cache} || \
1034 { ec=1 ; eval "${testfailed}"; }
1035 echo " verify entry
in keytab with any
"
1036 ${test_ap_req} --server-any ${alias1}@${R} ${keytab} ${cache} || \
1037 { ec=1 ; eval "${testfailed}"; }
1038 echo " verify failure with
alias entry
"
1039 ${test_ap_req} ${alias2}@${R} ${keytab} ${cache} 2>/dev/null && \
1040 { ec=1 ; eval "${testfailed}"; }
1041 echo " verify
alias entry
in keytab with any
"
1042 ${test_ap_req} --server-any ${alias2}@${R} ${keytab} ${cache} || \
1043 { ec=1 ; eval "${testfailed}"; }
1046 echo "testing removal of keytab
"
1047 ${ktutil} -k ${keytab} destroy || { ec=1 ; eval "${testfailed}"; }
1048 test -f ${keytabfile} && { ec=1 ; eval "${testfailed}"; }
1050 echo "Checking client pw expire
"; > messages.log
1051 ${kinit} --password-file=${objdir}/foopassword \
1052 pw-expire@${R} 2>kinit-log.tmp|| \
1053 { ec=1 ; eval "${testfailed}"; }
1054 grep 'Your password will expire' kinit-log.tmp > /dev/null || \
1055 { ec=1 ; eval "${testfailed}"; }
1056 echo " kinit passes
"
1057 ${test_gic} --client=pw-expire@${R} --password=foo > kinit-log.tmp 2>/dev/null
1058 ${EGREP} "^e
type: 6" kinit-log.tmp > /dev/null || \
1059 { ec=1 ; eval "${testfailed}"; }
1060 echo " test_gic passes
"
1063 echo "Checking password expiration
" ; > messages.log
1065 kinitpty=${objdir}/foopassword.rkpty
1066 cat > ${kinitpty} <<EOF
1069 expect Password has expired
1074 expect Success: Password changed
1077 echo "Checking client pw expire
"; > messages.log
1078 ${rkpty} ${kinitpty} ${kinit} pw-expired@${R}|| \
1079 { ec=1 ; eval "${testfailed}"; }
1084 echo "killing kdc
(${kdcpid}) kpasswdd
(${kpasswddpid})"
1085 sh ${leaks_kill} kdc $kdcpid || exit 1
1086 sh ${leaks_kill} kpasswdd $kpasswddpid || exit 1