diff options
author | Tom Yu <tlyu@mit.edu> | 2010-12-03 12:34:53 +0000 |
---|---|---|
committer | Tom Yu <tlyu@mit.edu> | 2010-12-03 12:34:53 +0000 |
commit | ffdd6134851028a85c0cbd54689f86aa4fa7ff50 (patch) | |
tree | 66f780df1cc0d2c51e450f5e8c676dc3ddddc5be /src/tests/t_keyrollover.py | |
parent | e6dc8d1eb75cefa27371b3fe71d25b173f088bae (diff) | |
download | krb5-ffdd6134851028a85c0cbd54689f86aa4fa7ff50.tar.gz krb5-ffdd6134851028a85c0cbd54689f86aa4fa7ff50.tar.xz krb5-ffdd6134851028a85c0cbd54689f86aa4fa7ff50.zip |
Test for key rollover for TGT, including purging old keys
ticket: 1219
target_version: 1.9
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24555 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/tests/t_keyrollover.py')
-rw-r--r-- | src/tests/t_keyrollover.py | 46 |
1 files changed, 46 insertions, 0 deletions
diff --git a/src/tests/t_keyrollover.py b/src/tests/t_keyrollover.py new file mode 100644 index 0000000000..4af76ae9a5 --- /dev/null +++ b/src/tests/t_keyrollover.py @@ -0,0 +1,46 @@ +#!/usr/bin/python +from k5test import * + +rollover_krb5_conf = {'all' : {'libdefaults' : {'allow_weak_crypto' : 'true'}}} + +realm = K5Realm(krbtgt_keysalt='des-cbc-crc:normal', + krb5_conf=rollover_krb5_conf) + +princ1 = 'host/test1@%s' % (realm.realm,) +princ2 = 'host/test2@%s' % (realm.realm,) +realm.addprinc(princ1) +realm.addprinc(princ2) + +realm.run_as_client([kvno, realm.host_princ]) + +# Change key for TGS, keeping old key. +realm.run_kadminl('cpw -randkey -e aes256-cts:normal -keepold krbtgt/%s@%s' % + (realm.realm, realm.realm)) + +# Ensure that kvno still works with an old TGT. +realm.run_as_client([kvno, princ1]) + +realm.run_kadminl('purgekeys krbtgt/%s@%s' % (realm.realm, realm.realm)) +# Make sure an old TGT fails after purging old TGS key. +realm.run_as_client([kvno, princ2], expected_code=1) +output = realm.run_as_client([klist, '-e']) + +expected = 'krbtgt/%s@%s\n\tEtype (skey, tkt): des-cbc-crc, des-cbc-crc' % \ + (realm.realm, realm.realm) + +if expected not in output: + fail('keyrollover: expected TGS enctype not found') + +# Check that new key actually works. +realm.kinit(realm.user_princ, password('user')) +realm.run_as_client([kvno, realm.host_princ]) +output = realm.run_as_client([klist, '-e']) + +expected = 'krbtgt/%s@%s\n\tEtype (skey, tkt): ' \ + 'aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96' % \ + (realm.realm, realm.realm) + +if expected not in output: + fail('keyrollover: expected TGS enctype not found after change') + +success('keyrollover') |