diff options
author | Greg Hudson <ghudson@mit.edu> | 2012-04-17 03:19:12 +0000 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2012-04-17 03:19:12 +0000 |
commit | 8d689cea3561d5912db218a4fdf9bdf3c1c6d3b0 (patch) | |
tree | e1a7de9d2c4ddf4922ae616e410b4baaeab6331d /src/tests/t_skew.py | |
parent | 07b2ae74d0b7600fe1e0eb1de8a12806d7403770 (diff) | |
download | krb5-8d689cea3561d5912db218a4fdf9bdf3c1c6d3b0.tar.gz krb5-8d689cea3561d5912db218a4fdf9bdf3c1c6d3b0.tar.xz krb5-8d689cea3561d5912db218a4fdf9bdf3c1c6d3b0.zip |
Add clock skew tests
Add a KDC option (-T) to run with a time offset, and use that to
test kdc_timesync behavior.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25807 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/tests/t_skew.py')
-rw-r--r-- | src/tests/t_skew.py | 38 |
1 files changed, 38 insertions, 0 deletions
diff --git a/src/tests/t_skew.py b/src/tests/t_skew.py new file mode 100644 index 000000000..f00c2f920 --- /dev/null +++ b/src/tests/t_skew.py @@ -0,0 +1,38 @@ +#!/usr/bin/python +from k5test import * + +# Create a realm with the KDC one hour in the past. +realm = K5Realm(start_kadmind=False, start_kdc=False) +realm.start_kdc(['-T', '-3600']) + +# kinit (no preauth) should work, and should set a clock skew allowing +# kvno to work, with or without FAST. +realm.kinit(realm.user_princ, password('user')) +realm.run_as_client([kvno, realm.host_princ]) +realm.kinit(realm.user_princ, password('user'), flags=['-T', realm.ccache]) +realm.run_as_client([kvno, realm.host_princ]) +realm.run_as_client([kdestroy]) + +# kinit (with preauth) should fail. +realm.run_kadminl('modprinc +requires_preauth user') +realm.kinit(realm.user_princ, password('user'), expected_code=1) + +realm.stop() + +# Repeat the above tests with kdc_timesync disabled. +conf = {'all': {'libdefaults': {'kdc_timesync': '0'}}} +realm = K5Realm(start_kadmind=False, start_kdc=False, krb5_conf=conf) +realm.start_kdc(['-T', '-3600']) + +# kinit (no preauth) should work, but kvno should not. kinit with +# FAST should also fail since the armor AP-REQ won't be valid. +realm.kinit(realm.user_princ, password('user')) +realm.run_as_client([kvno, realm.host_princ], expected_code=1) +realm.kinit(realm.user_princ, password('user'), flags=['-T', realm.ccache], + expected_code=1) + +# kinit (with preauth) should fail. +realm.run_kadminl('modprinc +requires_preauth user') +realm.kinit(realm.user_princ, password('user'), expected_code=1) + +success('Clock skew tests') |