| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
ticket: 7868
|
|
|
|
|
|
|
|
|
|
|
| |
Send encodings that are invalid KDC-REQs, but pass krb5_is_as_req()
and krb5_is_tgs_req(), to make sure that the KDC recovers correctly
from failures in decode_krb5_as_req() and decode_krb5_tgs_req(). Also
send an encoding that isn't a valid KDC-REQ.
ticket: 7811 (new)
target_version: 1.12.1
tags: pullup
|
|
|
|
|
| |
A few test programs didn't make it into .gitignore, OBJS, or
EXTRADEPSRCS.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Create a principal with a pair of enctypes using different salt types.
Confirm that the non-default salt type appears only once in the principal's
key list.
Also verify that the afs3 salt type is rejected by non-DES enctypes
The afs3 salt type is for compatibility with AFS-3 kaservers, which
are roughly krb4. As such, it only makes sense for single-DES
enctypes. The PBKDF2 and arcfour enctypes correctly reject the
key-creation parameters from the afs3 salt, but triple-DES currently
does not.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Remove tests/mkeystash_compat and tests/mk_migr. These are superseded
by t_mkey.py, with two exceptions:
tests/mk_migr included tests for password history across master key
rollovers. Historical keys are encrypted in the kadmin/history key
(which is accessed like any other key), so there isn't a specific need
to test this unless we implement #1221.
tests/mk_migr had provisions for testing master key rollover with the
LDAP KDB module. All master key logic used in the LDAP KDB module is
shared with the DB2 module in lib/kdb, so there is no specific need to
test this combination.
|
|
|
|
|
|
|
|
|
|
|
| |
Add a new script t_mkey.py using the k5test framework. Test the fixes
for #6507, #7685, and #7686 as well as basic functionality and
old-stashfile compatibility.
dump.16 was created by running "kdb5_util create -s -P footes" and
"kdb5_util dump dumpfile" with krb5 1.6. The key from the resulting
stash file was extracted and placed in the struct.pack() call in the
new test script.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Per project http://k5wiki.kerberos.org/wiki/Projects/Audit
The purpose of this project is to create an Audit infrastructure to monitor
security related events on the KDC.
The following events are targeted in the initial version:
- startup and shutdown of the KDC;
- AS_REQ and TGS_REQ exchanges. This includes client address and port, KDC
request and request ID, KDC reply, primary and derived ticket and their
ticket IDs, second ticket ID, cross-realm referral, was ticket renewed and
validated, local policy violation and protocol constraints, and KDC status
message.
Ticket ID is introduced to allow to link tickets to their initial TGT at any
stage of the Kerberos exchange. For the purpose of this project it is a private
to KDC ticket ID: each successfully created ticket is hashed and recorded
into audit log. The administrators can correlate the primary and derived
ticket IDs after the fact.
Request ID is a randomly generated alpha-numeric string. Using this ID an
administrator can easily correlate multiple audit events related to a single
request. It should be informative both in cases when the request is sent to
multiple KDCs, or to the same KDC multiple times.
For the purpose of testing and demo of the Audit, the JSON based modules are
implemented: "test" and "simple" audit modules respectively.
The file plugins/audit/j_dict.h is a dictionary used in this implememtations.
The new Audit system is build-time enabled and run-time pluggable.
[kaduk@mit.edu: remove potential KDC crashes, minor reordering]
ticket: 7712
target_version: 1.12
|
|
|
|
|
|
|
|
|
|
| |
Create a test module for the hostrealm interface, a harness to call
the realm mapping functions and display their results, and a Python
script to exercise the functionality of the interface and each module
(except the dns module, which we cannot easily test since it relies on
TXT records in the public DNS).
ticket: 7687
|
| |
|
|
|
|
| |
ticket: 7680
|
|
|
|
|
|
|
|
|
| |
Add kadmin support for "addprinc -nokey", which creates a principal
with no keys, and "purgekeys -all", which deletes all keys from a
principal. The KDC was modified by #7630 to support principals
without keys.
ticket: 7679 (new)
|
|
|
|
|
|
|
|
|
|
| |
This plugin implements the proposal for providing OTP support by
proxying requests to RADIUS. Details can be found inside the
provided documentation as well as on the project page.
http://k5wiki.kerberos.org/wiki/Projects/OTPOverRADIUS
ticket: 7678
|
|
|
|
|
|
| |
ticket: 7670 (new)
tags: pullup
target_version: 1.11.4
|
|
|
|
|
|
|
|
|
|
| |
Create a test module for the pwqual interface, and script to exercise
the built-in and test modules through kadmin.local. Also create a
test harness to display the order of pwqual modules for the current
configuration, and use it to test the plugin module ordering
guarantees.
ticket: 7665
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the gak_data value used by krb5_get_as_key_password, separate the
already-known password from the storage we might have allocated to put
it in, so that we no longer use an empty data buffer to determine
whether we know the password. This allows empty passwords to work via
the API.
Remove the kadm5 test which explicitly uses an empty password.
Based on a patch from Stef Walter.
ticket: 7642
|
|
|
|
|
|
|
|
|
| |
Provide default values in pre.in for PROG_LIBPATH, PROG_RPATH,
SHLIB_DIRS, SHLIB_RDIRS, and STOBJLISTS so that they don't have to be
specified in the common case. Rename KRB5_RUN_ENV and KRB5_RUN_VARS
to RUN_SETUP (already the most commonly used name) and RUN_VARS. Make
sure to use DEFINES for local defines (not DEFS). Remove some other
unnecessary makefile content.
|
|
|
|
| |
ticket: 7635 (new)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add tests for non-anonymous PKINIT:
* FILE: with no password
* FILE: with a password
* DIR: with no password
* DIR: with a password
* PKCS12: with no password
* PKCS12: with a password
* PKCS11: with a password, if soft-pkcs11.so is found via ctypes
[ghudson@mit.edu: reformatted to 79 columns; removed intermediate
success() calls]
|
|
|
|
|
|
|
|
| |
Create a test module, program, and script to exercise the
krb5_aname_to_localname and krb5_k5userok functions as well as the
localauth pluggable interface.
ticket: 7583
|
|
|
|
| |
ticket: 7585
|
|
|
|
|
|
| |
Create a K5Realm.kprop_port method so test scripts can invoke kprop
usefully, and create a simple Python test script exercising the same
kprop functionality as the dejagnu suite's kprop.exp.
|
|
|
|
|
|
|
|
| |
Move the existing dump/load tests from t_general.py to a new script
t_dump.py. Add additional tests using pre-created dumpfiles, to
exercise the -r18, -r13, -b7, and -ov formats.
bigredbutton: whitespace
|
| |
|
|
|
|
|
|
|
| |
Test the KDC host-based referral support in t_referral.py, using a new
harness to call krb5_get_credentials with a specified server name
type. Also use this new harness for the #7483 regression test, to
avoid relying on an undocumented kvno extension.
|
|
|
|
|
| |
Create a combined script for policy-related tests, and fold in the
existing lockout, password history, and allowed-keysalts tests.
|
|
|
|
|
|
|
|
|
|
| |
A host referral to the same realm we just looked up the principal in
is useless at best and confusing to the client at worst. Don't
respond with one in the KDC.
ticket: 7483
target_version: 1.11
tags: pullup
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add new tests kdbtest.c and t_kdb.py. Together these exercise most of
the code in the LDAP back end. kdbtest is also run against the DB2
module, which is mostly redundant with other tests, but does exercise
the lockout logic a little more thoroughly than t_lockout.py can.
To test the LDAP back end, we look for slapd and ldapadd binaries in
the path. The system slapd is sometimes constrained by AppArmor or
the like, which we can typically work around by making a copy of the
binary. slapd detaches before listening on its server socket (this
got better in 2.4.27 but still isn't perfect), so we unfortunately
have to use a one-second sleep in the slapd setup.
|
|
|
|
| |
ticket: 7374
|
|
|
|
|
|
| |
Test the fix for https://bugzilla.redhat.com/show_bug.cgi?id=586032 .
Also test that krb5kdc can return svc unavailable
|
|
|
|
|
|
| |
ticket: 7231 (new)
target_version: 1.10.3
tags: pullup
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This simply adds KADM5_API_VERSION_4 and various fields to the
policy structures:
- attributes (policy-ish principal attributes)
- max_life (max ticket life)
- max_renewable_life (max ticket renewable life)
- allowed_keysalts (allowed key/salt types)
- TL data (future policy extensions)
Of these only allowed_keysalts is currently implemented.
Some refactoring of TL data handling is also done.
ticket: 7223 (new)
|
|
|
|
|
|
|
| |
Generalize the ccache collection tests in t_cccol.py to multiple kinds
of ccache tests, and rename it to avoid confusion with the lower-level
lib/krb5/ccache/t_cccol.py. Move a test from t_general.py into
t_ccache.py.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adds a principal string attribute named "session_enctypes" which can
specify what enctypes the principal supports for session keys. (For
what it's worth, this actually allows one to list des-cbc-md5 as a
supported session key enctype, though obviously this hardly matters
now.)
Add a [realms] section parameter for specifying whether to assume that
principals (which lack the session_enctypes attribute) support
des-cbc-crc for session keys. This allows those who still need to use
allow_weak_crypto=true, for whatever reason, to start reducing the
number of tickets issued with des-cbc-crc session keys to clients
which still give des-cbc-crc preference in their default_tgs_enctypes
list.
[ghudson@mit.edu: Miscellaneous edits, cleanups, and fixes; refactored
test script; documented session_enctypes attribute]
|
|
|
|
|
|
|
|
|
| |
Add a Python script to test the enforcement of kadm5.acl
specifications, including wildcards and restrictions.
ticket: 7097
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25828 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A database created prior to 1.3 will have multiple password history
keys, and kadmin prior to 1.8 won't necessarily choose the first one.
So if there are multiple keys, we have to try them all. If none of
the keys can decrypt a password history entry, don't fail the password
change operation; it's not worth it without positive evidence of
password reuse.
ticket: 7099
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25819 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
| |
Create a test script for keytab-related tests. Move the kvno wrapping
test there from t_general.py, and augment it to better match what's in
standalone.exp. Add tests for kinit with keytab, including kinit with
the most-preferred enctype missing from the keytab (which currently
fails).
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25815 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
| |
Add a KDC option (-T) to run with a time offset, and use that to
test kdc_timesync behavior.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25807 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
| |
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25437 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
| |
Instead, use $(BUILDTOP)/plugins as the plugin base for tests. For
each real plugin module, create a link in the parent directory if
we're doing a shared-library build--so built KDB modules can be found
in plugins/kdb, preauth modules in plugins/preauth, etc..
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25436 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
| |
Add a cross_realms function to k5test.py to generate several linked
realms. Add a test script t_crossrealm.py to exercise six different
cross-realm scenarios.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25429 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
| |
Also, disable kdc_realm test until it works correctly on an
uninstalled build and when built outside of the source tree.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25289 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
| |
different
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25288 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
| |
http://k5wiki.kerberos.org/wiki/Projects/domain_realm_referrals project) test suite into "make check"
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25284 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
| |
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25215 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* "kdestroy -A" destroys all caches in collection.
* "kinit princ" searches the collection for a matching cache and
overwrites it, or creates a new cache in the collection, if the
type of the default cache is collection-enabled. The chosen cache
also becomes the primary cache for the collection.
* "klist -l" lists (in summary form) the caches in the collection.
* "klist -A" lists the content of all of the caches in the collection.
* "kswitch -c cache" (new command) makes cache the primary cache.
* "kswitch -p princ" makes the cache for princ the primary cache.
ticket: 6956
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25157 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
|
| |
salts as necessary. Add a principal rename command to the client.
(The RPC infrastructure was already present.)
Adapted from patches submitted by mdw@umich.edu and lha@apple.com.
ticket: 6323
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24604 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
|
|
| |
options were not folded into the renewal request (most notably, the
KDC_OPT_RENEWABLE flag), so we didn't request renewable renewed
tickets. Add a simple test case for ticket renewal.
ticket: 6838
tags: pullups
target_version: 1.9
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24566 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
| |
ticket: 1219
target_version: 1.9
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24555 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
| |
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24393 dc483132-0cff-0310-8789-dd5450dbe970
|