diff options
| author | Greg Hudson <ghudson@mit.edu> | 2012-04-02 17:49:56 +0000 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2012-04-02 17:49:56 +0000 |
| commit | d345f8234f52ea776ba781707a202409933b2477 (patch) | |
| tree | eb7aa1860c8c05058bb4e066ab03e5d9f632056f /src/tests | |
| parent | 3f19f78897bcc370261cae11fb7ac18378e3055c (diff) | |
| download | krb5-d345f8234f52ea776ba781707a202409933b2477.tar.gz krb5-d345f8234f52ea776ba781707a202409933b2477.tar.xz krb5-d345f8234f52ea776ba781707a202409933b2477.zip | |
Make cross-TGT key rollover work from AD to MIT
Active Directory always issues cross-realm tickets without a kvno,
which we see as kvno 0. When we see that, try the highest kvno (as we
already do) and then a few preceding kvnos so that key rollover of the
AD->MIT cross TGT can work.
Add new helpers kdc_rd_ap_req, which takes the place of a couple of
steps from kdc_process_tgs_req, and find_server_key, which takes the
place of some of the end steps of kdc_get_server_key.
Code changes by Nicolas Williams. Test cases by me.
ticket: 7109
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25799 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/tests')
| -rw-r--r-- | src/tests/t_keyrollover.py | 35 |
1 files changed, 35 insertions, 0 deletions
diff --git a/src/tests/t_keyrollover.py b/src/tests/t_keyrollover.py index 4af76ae9a..af38b8e18 100644 --- a/src/tests/t_keyrollover.py +++ b/src/tests/t_keyrollover.py @@ -43,4 +43,39 @@ expected = 'krbtgt/%s@%s\n\tEtype (skey, tkt): ' \ if expected not in output: fail('keyrollover: expected TGS enctype not found after change') +# Test that the KDC only accepts the first enctype for a kvno, for a +# local-realm TGS request. To set this up, we abuse an edge-case +# behavior of modprinc -kvno. First, set up a DES3 krbtgt entry at +# kvno 1 and cache a krbtgt ticket. +realm.run_kadminl('cpw -randkey -e des3-cbc-sha1:normal krbtgt/%s' % + realm.realm) +realm.run_kadminl('modprinc -kvno 1 krbtgt/%s' % realm.realm) +realm.kinit(realm.user_princ, password('user')) +# Add an AES krbtgt entry at kvno 2, and then reset it to kvno 1 +# (modprinc -kvno sets the kvno on all entries without deleting any). +realm.run_kadminl('cpw -randkey -keepold -e aes256-cts:normal krbtgt/%s' % + realm.realm) +realm.run_kadminl('modprinc -kvno 1 krbtgt/%s' % realm.realm) +output = realm.run_kadminl('getprinc krbtgt/%s' % realm.realm) +if 'vno 1, aes256' not in output or 'vno 1, des3' not in output: + fail('keyrollover: setup for TGS enctype test failed') +# Now present the DES3 ticket to the KDC and make sure it's rejected. +realm.run_as_client([kvno, realm.host_princ], expected_code=1) + +realm.stop() + +# Test a cross-realm TGT key rollover scenario where realm 1 mimics +# the Active Directory behavior of always using kvno 0 when issuing +# cross-realm TGTs. The first kvno invocation caches a cross-realm +# TGT with the old key, and the second kvno invocation sends it to +# r2's KDC with no kvno to identify it, forcing the KDC to try +# multiple keys. +r1, r2 = cross_realms(2, start_kadmind=False) +r1.run_kadminl('modprinc -kvno 0 krbtgt/%s' % r2.realm) +r1.run_as_client([kvno, r2.host_princ]) +r2.run_kadminl('cpw -pw newcross -keepold krbtgt/%s@%s' % (r2.realm, r1.realm)) +r1.run_kadminl('cpw -pw newcross krbtgt/%s' % r2.realm) +r1.run_kadminl('modprinc -kvno 0 krbtgt/%s' % r2.realm) +r1.run_as_client([kvno, r2.user_princ]) + success('keyrollover') |