diff options
| -rw-r--r-- | src/tests/Makefile.in | 1 | ||||
| -rw-r--r-- | src/tests/t_keyrollover.py | 46 |
2 files changed, 47 insertions, 0 deletions
diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in index 85a592b8dc..cc3eafec58 100644 --- a/src/tests/Makefile.in +++ b/src/tests/Makefile.in @@ -65,6 +65,7 @@ check-pytests:: $(RUNPYTEST) $(srcdir)/t_anonpkinit.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_lockout.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_kadm5_hook.py $(PYTESTFLAGS) + $(RUNPYTEST) $(srcdir)/t_keyrollover.py $(PYTESTFLAGS) clean:: $(RM) kdc.conf diff --git a/src/tests/t_keyrollover.py b/src/tests/t_keyrollover.py new file mode 100644 index 0000000000..4af76ae9a5 --- /dev/null +++ b/src/tests/t_keyrollover.py @@ -0,0 +1,46 @@ +#!/usr/bin/python +from k5test import * + +rollover_krb5_conf = {'all' : {'libdefaults' : {'allow_weak_crypto' : 'true'}}} + +realm = K5Realm(krbtgt_keysalt='des-cbc-crc:normal', + krb5_conf=rollover_krb5_conf) + +princ1 = 'host/test1@%s' % (realm.realm,) +princ2 = 'host/test2@%s' % (realm.realm,) +realm.addprinc(princ1) +realm.addprinc(princ2) + +realm.run_as_client([kvno, realm.host_princ]) + +# Change key for TGS, keeping old key. +realm.run_kadminl('cpw -randkey -e aes256-cts:normal -keepold krbtgt/%s@%s' % + (realm.realm, realm.realm)) + +# Ensure that kvno still works with an old TGT. +realm.run_as_client([kvno, princ1]) + +realm.run_kadminl('purgekeys krbtgt/%s@%s' % (realm.realm, realm.realm)) +# Make sure an old TGT fails after purging old TGS key. +realm.run_as_client([kvno, princ2], expected_code=1) +output = realm.run_as_client([klist, '-e']) + +expected = 'krbtgt/%s@%s\n\tEtype (skey, tkt): des-cbc-crc, des-cbc-crc' % \ + (realm.realm, realm.realm) + +if expected not in output: + fail('keyrollover: expected TGS enctype not found') + +# Check that new key actually works. +realm.kinit(realm.user_princ, password('user')) +realm.run_as_client([kvno, realm.host_princ]) +output = realm.run_as_client([klist, '-e']) + +expected = 'krbtgt/%s@%s\n\tEtype (skey, tkt): ' \ + 'aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96' % \ + (realm.realm, realm.realm) + +if expected not in output: + fail('keyrollover: expected TGS enctype not found after change') + +success('keyrollover') |