diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/kadmin/cli/kadmin.c | 49 | ||||
| -rw-r--r-- | src/lib/kadm5/admin.h | 1 | ||||
| -rw-r--r-- | src/lib/kadm5/srv/svr_principal.c | 11 | ||||
| -rw-r--r-- | src/tests/Makefile.in | 1 | ||||
| -rw-r--r-- | src/tests/dumpfiles/dump | 1 | ||||
| -rw-r--r-- | src/tests/dumpfiles/dump.b7 | 1 | ||||
| -rw-r--r-- | src/tests/dumpfiles/dump.ov | 1 | ||||
| -rw-r--r-- | src/tests/dumpfiles/dump.r13 | 1 | ||||
| -rw-r--r-- | src/tests/dumpfiles/dump.r18 | 1 | ||||
| -rw-r--r-- | src/tests/t_dump.py | 3 | ||||
| -rw-r--r-- | src/tests/t_keydata.py | 70 |
11 files changed, 122 insertions, 18 deletions
diff --git a/src/kadmin/cli/kadmin.c b/src/kadmin/cli/kadmin.c index 6f6a8ba46..b2b464b05 100644 --- a/src/kadmin/cli/kadmin.c +++ b/src/kadmin/cli/kadmin.c @@ -940,8 +940,8 @@ unlock_princ(kadm5_principal_ent_t princ, long *mask, const char *caller) static int kadmin_parse_princ_args(int argc, char *argv[], kadm5_principal_ent_t oprinc, long *mask, char **pass, krb5_boolean *randkey, - krb5_key_salt_tuple **ks_tuple, int *n_ks_tuple, - char *caller) + krb5_boolean *nokey, krb5_key_salt_tuple **ks_tuple, + int *n_ks_tuple, char *caller) { int i, attrib_set; size_t j; @@ -955,6 +955,7 @@ kadmin_parse_princ_args(int argc, char *argv[], kadm5_principal_ent_t oprinc, *ks_tuple = NULL; time(&now); *randkey = FALSE; + *nokey = FALSE; for (i = 1; i < argc - 1; i++) { attrib_set = 0; if (!strcmp("-x",argv[i])) { @@ -1048,6 +1049,10 @@ kadmin_parse_princ_args(int argc, char *argv[], kadm5_principal_ent_t oprinc, *randkey = TRUE; continue; } + if (!strcmp("-nokey", argv[i])) { + *nokey = TRUE; + continue; + } if (!strcmp("-unlock", argv[i])) { unlock_princ(oprinc, mask, caller); continue; @@ -1104,9 +1109,9 @@ kadmin_addprinc_usage() fprintf(stderr, _("usage: add_principal [options] principal\n")); fprintf(stderr, _("\toptions are:\n")); fprintf(stderr, - _("\t\t[-x db_princ_args]* [-expire expdate] " + _("\t\t[-randkey|-nokey] [-x db_princ_args]* [-expire expdate] " "[-pwexpire pwexpdate] [-maxlife maxtixlife]\n" - "\t\t[-kvno kvno] [-policy policy] [-clearpolicy] [-randkey]\n" + "\t\t[-kvno kvno] [-policy policy] [-clearpolicy]\n" "\t\t[-pw password] [-maxrenewlife maxrenewlife]\n" "\t\t[-e keysaltlist]\n\t\t[{+|-}attribute]\n") ); @@ -1170,7 +1175,7 @@ kadmin_addprinc(int argc, char *argv[]) { kadm5_principal_ent_rec princ; long mask; - krb5_boolean randkey = FALSE, old_style_randkey = FALSE; + krb5_boolean randkey = FALSE, nokey = FALSE, old_style_randkey = FALSE; int n_ks_tuple; krb5_key_salt_tuple *ks_tuple = NULL; char *pass, *canon = NULL; @@ -1183,7 +1188,8 @@ kadmin_addprinc(int argc, char *argv[]) princ.attributes = 0; if (kadmin_parse_princ_args(argc, argv, &princ, &mask, &pass, &randkey, - &ks_tuple, &n_ks_tuple, "add_principal")) { + &nokey, &ks_tuple, &n_ks_tuple, + "add_principal")) { kadmin_addprinc_usage(); goto cleanup; } @@ -1214,7 +1220,10 @@ kadmin_addprinc(int argc, char *argv[]) /* Don't send KADM5_POLICY_CLR to the server. */ mask &= ~KADM5_POLICY_CLR; - if (randkey) { + if (nokey) { + pass = NULL; + mask |= KADM5_KEY_DATA; + } else if (randkey) { pass = NULL; } else if (pass == NULL) { unsigned int sz = sizeof(newpw) - 1; @@ -1245,6 +1254,11 @@ kadmin_addprinc(int argc, char *argv[]) retval = create_princ(&princ, mask, n_ks_tuple, ks_tuple, pass); old_style_randkey = 1; } + if (retval == KADM5_BAD_MASK && nokey) { + fprintf(stderr, _("Admin server does not support -nokey while " + "creating \"%s\"\n"), canon); + goto cleanup; + } if (retval) { com_err("add_principal", retval, "while creating \"%s\".", canon); goto cleanup; @@ -1283,7 +1297,7 @@ kadmin_modprinc(int argc, char *argv[]) long mask; krb5_error_code retval; char *pass, *canon = NULL; - krb5_boolean randkey = FALSE; + krb5_boolean randkey = FALSE, nokey = FALSE; int n_ks_tuple = 0; krb5_key_salt_tuple *ks_tuple = NULL; @@ -1316,10 +1330,10 @@ kadmin_modprinc(int argc, char *argv[]) kadm5_free_principal_ent(handle, &oldprinc); retval = kadmin_parse_princ_args(argc, argv, &princ, &mask, - &pass, &randkey, + &pass, &randkey, &nokey, &ks_tuple, &n_ks_tuple, "modify_principal"); - if (retval || ks_tuple != NULL || randkey || pass) { + if (retval || ks_tuple != NULL || randkey || nokey || pass) { kadmin_modprinc_usage(); goto cleanup; } @@ -1801,13 +1815,15 @@ kadmin_purgekeys(int argc, char *argv[]) if (argc == 4 && strcmp(argv[1], "-keepkvno") == 0) { keepkvno = atoi(argv[2]); pname = argv[3]; - } - if (argc == 2) { + } else if (argc == 3 && strcmp(argv[1], "-all") == 0) { + keepkvno = KRB5_INT32_MAX; + pname = argv[2]; + } else if (argc == 2) { pname = argv[1]; } if (pname == NULL) { - fprintf(stderr, _("usage: purgekeys [-keepkvno oldest_kvno_to_keep] " - "principal\n")); + fprintf(stderr, _("usage: purgekeys " + "[-all|-keepkvno oldest_kvno_to_keep] principal\n")); return; } @@ -1830,7 +1846,10 @@ kadmin_purgekeys(int argc, char *argv[]) goto cleanup; } - printf(_("Old keys for principal \"%s\" purged.\n"), canon); + if (keepkvno == KRB5_INT32_MAX) + printf(_("All keys for principal \"%s\" removed.\n"), canon); + else + printf(_("Old keys for principal \"%s\" purged.\n"), canon); cleanup: krb5_free_principal(context, princ); free(canon); diff --git a/src/lib/kadm5/admin.h b/src/lib/kadm5/admin.h index 189ca45cf..8f377f804 100644 --- a/src/lib/kadm5/admin.h +++ b/src/lib/kadm5/admin.h @@ -110,6 +110,7 @@ typedef long kadm5_ret_t; #define KADM5_RANDKEY_USED 0x100000 #endif #define KADM5_LOAD 0x200000 +#define KADM5_NOKEY 0x400000 /* all but KEY_DATA, TL_DATA, LOAD */ #define KADM5_PRINCIPAL_NORMAL_MASK 0x41ffff diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c index 2bb871166..d6035b0e3 100644 --- a/src/lib/kadm5/srv/svr_principal.c +++ b/src/lib/kadm5/srv/svr_principal.c @@ -385,8 +385,10 @@ kadm5_create_principal_3(void *server_handle, if(!(mask & KADM5_PRINCIPAL) || (mask & KADM5_MOD_NAME) || (mask & KADM5_MOD_TIME) || (mask & KADM5_LAST_PWD_CHANGE) || (mask & KADM5_MKVNO) || (mask & KADM5_AUX_ATTRIBUTES) || - (mask & KADM5_KEY_DATA) || (mask & KADM5_LAST_SUCCESS) || - (mask & KADM5_LAST_FAILED) || (mask & KADM5_FAIL_AUTH_COUNT)) + (mask & KADM5_LAST_SUCCESS) || (mask & KADM5_LAST_FAILED) || + (mask & KADM5_FAIL_AUTH_COUNT)) + return KADM5_BAD_MASK; + if ((mask & KADM5_KEY_DATA) && entry->n_key_data != 0) return KADM5_BAD_MASK; if((mask & KADM5_POLICY) && (mask & KADM5_POLICY_CLR)) return KADM5_BAD_MASK; @@ -515,7 +517,10 @@ kadm5_create_principal_3(void *server_handle, if (ret) goto cleanup; - if (password) { + if (mask & KADM5_KEY_DATA) { + /* The client requested no keys for this principal. */ + assert(entry->n_key_data == 0); + } else if (password) { ret = krb5_dbe_cpw(handle->context, act_mkey, new_ks_tuple, new_n_ks_tuple, password, (mask & KADM5_KVNO)?entry->kvno:1, diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in index bf097387e..3c61b18ab 100644 --- a/src/tests/Makefile.in +++ b/src/tests/Makefile.in @@ -104,6 +104,7 @@ check-pytests:: gcred hist kdbtest plugorder t_init_creds t_localauth $(RUNPYTEST) $(srcdir)/t_keytab.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_kadmin_acl.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_kdb.py $(PYTESTFLAGS) + $(RUNPYTEST) $(srcdir)/t_keydata.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_cve-2012-1014.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_cve-2012-1015.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_cve-2013-1416.py $(PYTESTFLAGS) diff --git a/src/tests/dumpfiles/dump b/src/tests/dumpfiles/dump index 27378d8e6..15ff87888 100644 --- a/src/tests/dumpfiles/dump +++ b/src/tests/dumpfiles/dump @@ -5,6 +5,7 @@ princ 38 24 4 4 0 kadmin/admin@KRBTEST.COM 4 10800 0 0 0 0 0 0 3 24 12345c010000 princ 38 27 4 4 0 kadmin/changepw@KRBTEST.COM 8196 300 0 0 0 0 0 0 3 24 12345c010000000000000000000000000000000200000000 2 26 b93e10516b6462355f7574696c404b5242544553542e434f4d00 8 2 0100 1 4 b93e1051 1 1 18 62 200015daf7bc8073eae166b03231330b81b78cfd6021d3dcf3700862dc98725c5bb549a72aa2ae8eef37dc2db5acc59cc62600f72052c6238ef216dd24a5 1 1 17 46 1000c1e176f253d6292fe4e34b2edfbdd5ff81ff3e17b38c2a674bd738d20fc40a4ed38a02351f4a9872123fb865 1 1 16 54 18008bf3418871e7d117af489798fbbcc031c534e095b4e4ed6cb110c7d87a91e5fb6c080c77616618db80ed37589fcc0ca8328406ef 1 1 23 46 10007a522025d2e7126dc48d76218e9efb3ff4326a3b5969be0deac108657a9d23c7827ec39b828fd43e51ea114b -1; princ 38 38 4 4 0 kadmin/equal-rites.mit.edu@KRBTEST.COM 4 10800 0 0 0 0 0 0 3 24 12345c010000000000000000000000000000000200000000 2 26 b93e10516b6462355f7574696c404b5242544553542e434f4d00 8 2 0100 1 4 b93e1051 1 1 18 62 200045a2e5b79c5787bfc68700d3abc0034cc91d48f10636c35e1a571c41c4e6892caceeda8808bfa46aa4050a6d33d99cb64d237f645af6741e90c723ff 1 1 17 46 100073b99fecd81b4fe113b10852065c15e75ed7d256d2d242b3cca57317c28c7fece4bda797f116309ea5bc2eb1 1 1 16 54 1800bd05672170b5d04cb62394498988f3844b744a0793ac435d044e67ed0ee50d20c408b30cec599c169378b0ad2a4967f42aef38e5 1 1 23 46 1000a1a515e0fe322980f319752bf85dd405ca2bdda148009654584b70f50d38c532df1c2d0a3c56f9758775b007 -1; princ 38 30 1 4 0 krbtgt/KRBTEST.COM@KRBTEST.COM 0 86400 0 0 0 0 0 0 2 28 b93e105164625f6372656174696f6e404b5242544553542e434f4d00 1 1 18 62 2000582c9aaf26c4a0abf13600baf37718c91e15dca02385e346cf5d2730d28b2302677f23d02791299548b45e1ced0b05cd30062617bff7532885d7889c 1 1 17 46 1000122eb47263d7837771ebbf7ad82163cc2ea7674a417944c0cbf186522fc0e74a73affd4a42fb9fda287be4f8 1 1 16 54 18008cd8064aea468f13f36ae13ecd4f993d87ef6bafcb2dc5101ad903200ffe3d5c265b2f0c71a6c07ec60d259b6862825cc77a70b2 1 1 23 46 10001699ad0304644456106328fbd733bd5c524f20d4b5d8b8e370eff196803b5990ee7e9eb4b6c2214cf327f59b -1; +princ 38 18 4 0 0 nokeys@KRBTEST.COM 0 86400 0 0 0 0 0 0 3 24 12345c010000000000000000000000000000000200000000 2 27 d931dc51757365722f61646d696e404b5242544553542e434f4d00 8 2 0100 1 4 d931dc51 -1; princ 38 22 4 4 0 user/admin@KRBTEST.COM 0 86400 0 0 0 0 0 0 3 24 12345c010000000000000000000000000000000200000000 2 30 b93e105167687564736f6e2f61646d696e404b5242544553542e434f4d00 8 2 0100 1 4 b93e1051 1 1 18 62 20002db4cd2b0824c44a17cdbb2d180a1ec9956db35d74741826ed0d77eaef9abdb20c481d5ab9f511d5a3e6b8def443382f03d247568d81529e5dd17fae 1 1 17 46 100011d7cc3627468d565d398cffd735a3cc9d3705cd9846cede198c7d07f4e8209cd9192bc6c5f127169c00f373 1 1 16 54 18002bd9dc3388c90055844b3b4c5c2a814d73758f226d44d7dc5e35ef3b65e7d80cd604a4ef2a5769106818c3d813956bbad1813cb2 1 1 23 46 1000409681c3ff356fb7d28a9f71957c3465ea42ec4eee5019a662f7d367042527b76ae783cfbd0dccbd7529d090 -1; princ 38 16 4 4 0 user@KRBTEST.COM 0 86400 0 0 0 0 0 0 3 32 12345c010000000874657374706f6c0000000800000000000000000200000000 2 27 d73e1051757365722f61646d696e404b5242544553542e434f4d00 8 2 0100 1 4 b93e1051 1 1 18 62 2000aec451aae295389f92d177e61b5154941386c70d75d382393e556dfa61bd77d112a777420a99030b56649d366bba83a5c40aa17fa4522222d2e78e10 1 1 17 46 10009c8ab7b3f89ccf3ca3ad98352a461b7f4f1b0c495605117591d9ad52ba4da0adef7a902126973ed2bdc3ffbf 1 1 16 54 18002b87a46d6c4de954a316b5ce28a99886f2abb6b0307190e577b81171dfb7a067139835be8625bc36b0edaaed357609107d85d335 1 1 23 46 1000c01fcdb3050a2270f82dbafbe4c1adc868377bf7133ee7a1bcaf85817abe541beb8008b91c54b99e93d2e0f5 -1; policy testpol 0 0 1 3 1 0 0 0 0 0 0 0 - 0 diff --git a/src/tests/dumpfiles/dump.b7 b/src/tests/dumpfiles/dump.b7 index 6b810c984..8d5340115 100644 --- a/src/tests/dumpfiles/dump.b7 +++ b/src/tests/dumpfiles/dump.b7 @@ -5,6 +5,7 @@ princ 38 24 3 4 0 kadmin/admin@KRBTEST.COM 4 10800 0 0 0 0 0 0 2 26 b93e10516b64 princ 38 27 3 4 0 kadmin/changepw@KRBTEST.COM 8196 300 0 0 0 0 0 0 2 26 b93e10516b6462355f7574696c404b5242544553542e434f4d00 8 2 0100 1 4 b93e1051 1 1 18 62 200015daf7bc8073eae166b03231330b81b78cfd6021d3dcf3700862dc98725c5bb549a72aa2ae8eef37dc2db5acc59cc62600f72052c6238ef216dd24a5 1 1 17 46 1000c1e176f253d6292fe4e34b2edfbdd5ff81ff3e17b38c2a674bd738d20fc40a4ed38a02351f4a9872123fb865 1 1 16 54 18008bf3418871e7d117af489798fbbcc031c534e095b4e4ed6cb110c7d87a91e5fb6c080c77616618db80ed37589fcc0ca8328406ef 1 1 23 46 10007a522025d2e7126dc48d76218e9efb3ff4326a3b5969be0deac108657a9d23c7827ec39b828fd43e51ea114b -1; princ 38 38 3 4 0 kadmin/equal-rites.mit.edu@KRBTEST.COM 4 10800 0 0 0 0 0 0 2 26 b93e10516b6462355f7574696c404b5242544553542e434f4d00 8 2 0100 1 4 b93e1051 1 1 18 62 200045a2e5b79c5787bfc68700d3abc0034cc91d48f10636c35e1a571c41c4e6892caceeda8808bfa46aa4050a6d33d99cb64d237f645af6741e90c723ff 1 1 17 46 100073b99fecd81b4fe113b10852065c15e75ed7d256d2d242b3cca57317c28c7fece4bda797f116309ea5bc2eb1 1 1 16 54 1800bd05672170b5d04cb62394498988f3844b744a0793ac435d044e67ed0ee50d20c408b30cec599c169378b0ad2a4967f42aef38e5 1 1 23 46 1000a1a515e0fe322980f319752bf85dd405ca2bdda148009654584b70f50d38c532df1c2d0a3c56f9758775b007 -1; princ 38 30 1 4 0 krbtgt/KRBTEST.COM@KRBTEST.COM 0 86400 0 0 0 0 0 0 2 28 b93e105164625f6372656174696f6e404b5242544553542e434f4d00 1 1 18 62 2000582c9aaf26c4a0abf13600baf37718c91e15dca02385e346cf5d2730d28b2302677f23d02791299548b45e1ced0b05cd30062617bff7532885d7889c 1 1 17 46 1000122eb47263d7837771ebbf7ad82163cc2ea7674a417944c0cbf186522fc0e74a73affd4a42fb9fda287be4f8 1 1 16 54 18008cd8064aea468f13f36ae13ecd4f993d87ef6bafcb2dc5101ad903200ffe3d5c265b2f0c71a6c07ec60d259b6862825cc77a70b2 1 1 23 46 10001699ad0304644456106328fbd733bd5c524f20d4b5d8b8e370eff196803b5990ee7e9eb4b6c2214cf327f59b -1; +princ 38 18 3 0 0 nokeys@KRBTEST.COM 0 86400 0 0 0 0 0 0 2 27 d931dc51757365722f61646d696e404b5242544553542e434f4d00 8 2 0100 1 4 d931dc51 -1; princ 38 22 3 4 0 user/admin@KRBTEST.COM 0 86400 0 0 0 0 0 0 2 30 b93e105167687564736f6e2f61646d696e404b5242544553542e434f4d00 8 2 0100 1 4 b93e1051 1 1 18 62 20002db4cd2b0824c44a17cdbb2d180a1ec9956db35d74741826ed0d77eaef9abdb20c481d5ab9f511d5a3e6b8def443382f03d247568d81529e5dd17fae 1 1 17 46 100011d7cc3627468d565d398cffd735a3cc9d3705cd9846cede198c7d07f4e8209cd9192bc6c5f127169c00f373 1 1 16 54 18002bd9dc3388c90055844b3b4c5c2a814d73758f226d44d7dc5e35ef3b65e7d80cd604a4ef2a5769106818c3d813956bbad1813cb2 1 1 23 46 1000409681c3ff356fb7d28a9f71957c3465ea42ec4eee5019a662f7d367042527b76ae783cfbd0dccbd7529d090 -1; princ 38 16 3 4 0 user@KRBTEST.COM 0 86400 0 0 0 0 0 0 2 27 d73e1051757365722f61646d696e404b5242544553542e434f4d00 8 2 0100 1 4 b93e1051 1 1 18 62 2000aec451aae295389f92d177e61b5154941386c70d75d382393e556dfa61bd77d112a777420a99030b56649d366bba83a5c40aa17fa4522222d2e78e10 1 1 17 46 10009c8ab7b3f89ccf3ca3ad98352a461b7f4f1b0c495605117591d9ad52ba4da0adef7a902126973ed2bdc3ffbf 1 1 16 54 18002b87a46d6c4de954a316b5ce28a99886f2abb6b0307190e577b81171dfb7a067139835be8625bc36b0edaaed357609107d85d335 1 1 23 46 1000c01fcdb3050a2270f82dbafbe4c1adc868377bf7133ee7a1bcaf85817abe541beb8008b91c54b99e93d2e0f5 -1; policy testpol 0 0 1 3 1 0 diff --git a/src/tests/dumpfiles/dump.ov b/src/tests/dumpfiles/dump.ov index 35d99bae4..285bef970 100644 --- a/src/tests/dumpfiles/dump.ov +++ b/src/tests/dumpfiles/dump.ov @@ -3,6 +3,7 @@ princ host/equal-rites.mit.edu@KRBTEST.COM 0 0 0 2 princ kadmin/admin@KRBTEST.COM 0 0 0 2 princ kadmin/changepw@KRBTEST.COM 0 0 0 2 princ kadmin/equal-rites.mit.edu@KRBTEST.COM 0 0 0 2 +princ nokeys@KRBTEST.COM 0 0 0 2 princ user/admin@KRBTEST.COM 0 0 0 2 princ user@KRBTEST.COM testpol 800 0 0 2 policy testpol 0 0 1 3 1 0 diff --git a/src/tests/dumpfiles/dump.r13 b/src/tests/dumpfiles/dump.r13 index 8faba2bcd..c15a75e99 100644 --- a/src/tests/dumpfiles/dump.r13 +++ b/src/tests/dumpfiles/dump.r13 @@ -5,6 +5,7 @@ princ 38 24 4 4 0 kadmin/admin@KRBTEST.COM 4 10800 0 0 0 0 0 0 3 24 12345c010000 princ 38 27 4 4 0 kadmin/changepw@KRBTEST.COM 8196 300 0 0 0 0 0 0 3 24 12345c010000000000000000000000000000000200000000 2 26 b93e10516b6462355f7574696c404b5242544553542e434f4d00 8 2 0100 1 4 b93e1051 1 1 18 62 200015daf7bc8073eae166b03231330b81b78cfd6021d3dcf3700862dc98725c5bb549a72aa2ae8eef37dc2db5acc59cc62600f72052c6238ef216dd24a5 1 1 17 46 1000c1e176f253d6292fe4e34b2edfbdd5ff81ff3e17b38c2a674bd738d20fc40a4ed38a02351f4a9872123fb865 1 1 16 54 18008bf3418871e7d117af489798fbbcc031c534e095b4e4ed6cb110c7d87a91e5fb6c080c77616618db80ed37589fcc0ca8328406ef 1 1 23 46 10007a522025d2e7126dc48d76218e9efb3ff4326a3b5969be0deac108657a9d23c7827ec39b828fd43e51ea114b -1; princ 38 38 4 4 0 kadmin/equal-rites.mit.edu@KRBTEST.COM 4 10800 0 0 0 0 0 0 3 24 12345c010000000000000000000000000000000200000000 2 26 b93e10516b6462355f7574696c404b5242544553542e434f4d00 8 2 0100 1 4 b93e1051 1 1 18 62 200045a2e5b79c5787bfc68700d3abc0034cc91d48f10636c35e1a571c41c4e6892caceeda8808bfa46aa4050a6d33d99cb64d237f645af6741e90c723ff 1 1 17 46 100073b99fecd81b4fe113b10852065c15e75ed7d256d2d242b3cca57317c28c7fece4bda797f116309ea5bc2eb1 1 1 16 54 1800bd05672170b5d04cb62394498988f3844b744a0793ac435d044e67ed0ee50d20c408b30cec599c169378b0ad2a4967f42aef38e5 1 1 23 46 1000a1a515e0fe322980f319752bf85dd405ca2bdda148009654584b70f50d38c532df1c2d0a3c56f9758775b007 -1; princ 38 30 1 4 0 krbtgt/KRBTEST.COM@KRBTEST.COM 0 86400 0 0 0 0 0 0 2 28 b93e105164625f6372656174696f6e404b5242544553542e434f4d00 1 1 18 62 2000582c9aaf26c4a0abf13600baf37718c91e15dca02385e346cf5d2730d28b2302677f23d02791299548b45e1ced0b05cd30062617bff7532885d7889c 1 1 17 46 1000122eb47263d7837771ebbf7ad82163cc2ea7674a417944c0cbf186522fc0e74a73affd4a42fb9fda287be4f8 1 1 16 54 18008cd8064aea468f13f36ae13ecd4f993d87ef6bafcb2dc5101ad903200ffe3d5c265b2f0c71a6c07ec60d259b6862825cc77a70b2 1 1 23 46 10001699ad0304644456106328fbd733bd5c524f20d4b5d8b8e370eff196803b5990ee7e9eb4b6c2214cf327f59b -1; +princ 38 18 4 0 0 nokeys@KRBTEST.COM 0 86400 0 0 0 0 0 0 3 24 12345c010000000000000000000000000000000200000000 2 27 d931dc51757365722f61646d696e404b5242544553542e434f4d00 8 2 0100 1 4 d931dc51 -1; princ 38 22 4 4 0 user/admin@KRBTEST.COM 0 86400 0 0 0 0 0 0 3 24 12345c010000000000000000000000000000000200000000 2 30 b93e105167687564736f6e2f61646d696e404b5242544553542e434f4d00 8 2 0100 1 4 b93e1051 1 1 18 62 20002db4cd2b0824c44a17cdbb2d180a1ec9956db35d74741826ed0d77eaef9abdb20c481d5ab9f511d5a3e6b8def443382f03d247568d81529e5dd17fae 1 1 17 46 100011d7cc3627468d565d398cffd735a3cc9d3705cd9846cede198c7d07f4e8209cd9192bc6c5f127169c00f373 1 1 16 54 18002bd9dc3388c90055844b3b4c5c2a814d73758f226d44d7dc5e35ef3b65e7d80cd604a4ef2a5769106818c3d813956bbad1813cb2 1 1 23 46 1000409681c3ff356fb7d28a9f71957c3465ea42ec4eee5019a662f7d367042527b76ae783cfbd0dccbd7529d090 -1; princ 38 16 4 4 0 user@KRBTEST.COM 0 86400 0 0 0 0 0 0 3 32 12345c010000000874657374706f6c0000000800000000000000000200000000 2 27 d73e1051757365722f61646d696e404b5242544553542e434f4d00 8 2 0100 1 4 b93e1051 1 1 18 62 2000aec451aae295389f92d177e61b5154941386c70d75d382393e556dfa61bd77d112a777420a99030b56649d366bba83a5c40aa17fa4522222d2e78e10 1 1 17 46 10009c8ab7b3f89ccf3ca3ad98352a461b7f4f1b0c495605117591d9ad52ba4da0adef7a902126973ed2bdc3ffbf 1 1 16 54 18002b87a46d6c4de954a316b5ce28a99886f2abb6b0307190e577b81171dfb7a067139835be8625bc36b0edaaed357609107d85d335 1 1 23 46 1000c01fcdb3050a2270f82dbafbe4c1adc868377bf7133ee7a1bcaf85817abe541beb8008b91c54b99e93d2e0f5 -1; policy testpol 0 0 1 3 1 0 diff --git a/src/tests/dumpfiles/dump.r18 b/src/tests/dumpfiles/dump.r18 index 41ca05eb4..b352fa281 100644 --- a/src/tests/dumpfiles/dump.r18 +++ b/src/tests/dumpfiles/dump.r18 @@ -5,6 +5,7 @@ princ 38 24 4 4 0 kadmin/admin@KRBTEST.COM 4 10800 0 0 0 0 0 0 3 24 12345c010000 princ 38 27 4 4 0 kadmin/changepw@KRBTEST.COM 8196 300 0 0 0 0 0 0 3 24 12345c010000000000000000000000000000000200000000 2 26 b93e10516b6462355f7574696c404b5242544553542e434f4d00 8 2 0100 1 4 b93e1051 1 1 18 62 200015daf7bc8073eae166b03231330b81b78cfd6021d3dcf3700862dc98725c5bb549a72aa2ae8eef37dc2db5acc59cc62600f72052c6238ef216dd24a5 1 1 17 46 1000c1e176f253d6292fe4e34b2edfbdd5ff81ff3e17b38c2a674bd738d20fc40a4ed38a02351f4a9872123fb865 1 1 16 54 18008bf3418871e7d117af489798fbbcc031c534e095b4e4ed6cb110c7d87a91e5fb6c080c77616618db80ed37589fcc0ca8328406ef 1 1 23 46 10007a522025d2e7126dc48d76218e9efb3ff4326a3b5969be0deac108657a9d23c7827ec39b828fd43e51ea114b -1; princ 38 38 4 4 0 kadmin/equal-rites.mit.edu@KRBTEST.COM 4 10800 0 0 0 0 0 0 3 24 12345c010000000000000000000000000000000200000000 2 26 b93e10516b6462355f7574696c404b5242544553542e434f4d00 8 2 0100 1 4 b93e1051 1 1 18 62 200045a2e5b79c5787bfc68700d3abc0034cc91d48f10636c35e1a571c41c4e6892caceeda8808bfa46aa4050a6d33d99cb64d237f645af6741e90c723ff 1 1 17 46 100073b99fecd81b4fe113b10852065c15e75ed7d256d2d242b3cca57317c28c7fece4bda797f116309ea5bc2eb1 1 1 16 54 1800bd05672170b5d04cb62394498988f3844b744a0793ac435d044e67ed0ee50d20c408b30cec599c169378b0ad2a4967f42aef38e5 1 1 23 46 1000a1a515e0fe322980f319752bf85dd405ca2bdda148009654584b70f50d38c532df1c2d0a3c56f9758775b007 -1; princ 38 30 1 4 0 krbtgt/KRBTEST.COM@KRBTEST.COM 0 86400 0 0 0 0 0 0 2 28 b93e105164625f6372656174696f6e404b5242544553542e434f4d00 1 1 18 62 2000582c9aaf26c4a0abf13600baf37718c91e15dca02385e346cf5d2730d28b2302677f23d02791299548b45e1ced0b05cd30062617bff7532885d7889c 1 1 17 46 1000122eb47263d7837771ebbf7ad82163cc2ea7674a417944c0cbf186522fc0e74a73affd4a42fb9fda287be4f8 1 1 16 54 18008cd8064aea468f13f36ae13ecd4f993d87ef6bafcb2dc5101ad903200ffe3d5c265b2f0c71a6c07ec60d259b6862825cc77a70b2 1 1 23 46 10001699ad0304644456106328fbd733bd5c524f20d4b5d8b8e370eff196803b5990ee7e9eb4b6c2214cf327f59b -1; +princ 38 18 4 0 0 nokeys@KRBTEST.COM 0 86400 0 0 0 0 0 0 3 24 12345c010000000000000000000000000000000200000000 2 27 d931dc51757365722f61646d696e404b5242544553542e434f4d00 8 2 0100 1 4 d931dc51 -1; princ 38 22 4 4 0 user/admin@KRBTEST.COM 0 86400 0 0 0 0 0 0 3 24 12345c010000000000000000000000000000000200000000 2 30 b93e105167687564736f6e2f61646d696e404b5242544553542e434f4d00 8 2 0100 1 4 b93e1051 1 1 18 62 20002db4cd2b0824c44a17cdbb2d180a1ec9956db35d74741826ed0d77eaef9abdb20c481d5ab9f511d5a3e6b8def443382f03d247568d81529e5dd17fae 1 1 17 46 100011d7cc3627468d565d398cffd735a3cc9d3705cd9846cede198c7d07f4e8209cd9192bc6c5f127169c00f373 1 1 16 54 18002bd9dc3388c90055844b3b4c5c2a814d73758f226d44d7dc5e35ef3b65e7d80cd604a4ef2a5769106818c3d813956bbad1813cb2 1 1 23 46 1000409681c3ff356fb7d28a9f71957c3465ea42ec4eee5019a662f7d367042527b76ae783cfbd0dccbd7529d090 -1; princ 38 16 4 4 0 user@KRBTEST.COM 0 86400 0 0 0 0 0 0 3 32 12345c010000000874657374706f6c0000000800000000000000000200000000 2 27 d73e1051757365722f61646d696e404b5242544553542e434f4d00 8 2 0100 1 4 b93e1051 1 1 18 62 2000aec451aae295389f92d177e61b5154941386c70d75d382393e556dfa61bd77d112a777420a99030b56649d366bba83a5c40aa17fa4522222d2e78e10 1 1 17 46 10009c8ab7b3f89ccf3ca3ad98352a461b7f4f1b0c495605117591d9ad52ba4da0adef7a902126973ed2bdc3ffbf 1 1 16 54 18002b87a46d6c4de954a316b5ce28a99886f2abb6b0307190e577b81171dfb7a067139835be8625bc36b0edaaed357609107d85d335 1 1 23 46 1000c01fcdb3050a2270f82dbafbe4c1adc868377bf7133ee7a1bcaf85817abe541beb8008b91c54b99e93d2e0f5 -1; policy testpol 0 0 1 3 1 0 0 0 0 diff --git a/src/tests/t_dump.py b/src/tests/t_dump.py index 239bbcc01..edf7a2361 100644 --- a/src/tests/t_dump.py +++ b/src/tests/t_dump.py @@ -78,6 +78,9 @@ def load_dump_check_compare(realm, opt, srcfile): out = realm.run_kadminl('getprincs') if 'user@' not in out: fail('Loaded dumpfile missing user principal') + out = realm.run_kadminl('getprinc nokeys') + if 'Number of keys: 0' not in out: + fail('Loading dumpfile did not process zero-key principal') out = realm.run_kadminl('getpols') if 'testpol' not in out: fail('Loaded dumpfile missing test policy') diff --git a/src/tests/t_keydata.py b/src/tests/t_keydata.py new file mode 100644 index 000000000..ad8c9099f --- /dev/null +++ b/src/tests/t_keydata.py @@ -0,0 +1,70 @@ +#!/usr/bin/python +from k5test import * + +realm = K5Realm(create_user=False, create_host=False) + +# Create a principal with no keys. +out = realm.run_kadminl('addprinc -nokey user') +if 'created.' not in out: + fail('addprinc -nokey') +out = realm.run_kadminl('getprinc user') +if 'Number of keys: 0' not in out: + fail('getprinc (addprinc -nokey)') + +# Change its password and check the resulting kvno. +out = realm.run_kadminl('cpw -pw password user') +if 'changed.' not in out: + fail('cpw -pw') +out = realm.run_kadminl('getprinc user') +if 'vno 1' not in out: + fail('getprinc (cpw -pw)') + +# Delete all of its keys. +out = realm.run_kadminl('purgekeys -all user') +if 'All keys' not in out or 'removed.' not in out: + fail('purgekeys') +out = realm.run_kadminl('getprinc user') +if 'Number of keys: 0' not in out: + fail('getprinc (purgekeys)') + +# Randomize its keys and check the resulting kvno. +out = realm.run_kadminl('cpw -randkey user') +if 'randomized.' not in out: + fail('cpw -randkey') +out = realm.run_kadminl('getprinc user') +if 'vno 1' not in out: + fail('getprinc (cpw -randkey)') + +# Return true if patype appears to have been received in a hint list +# from a KDC error message, based on the trace file fname. +def preauth_type_received(fname, patype): + f = open(fname, 'r') + found = False + for line in f: + if 'Processing preauth types:' in line: + ind = line.find('types:') + patypes = line[ind + 6:].strip().split(', ') + if str(patype) in patypes: + found = True + f.close() + return found + +# Make sure the KDC doesn't offer encrypted timestamp for a principal +# with no keys. +tracefile = os.path.join(realm.testdir, 'trace') +realm.run_kadminl('purgekeys -all user') +realm.run_kadminl('modprinc +requires_preauth user') +realm.run(['env', 'KRB5_TRACE=' + tracefile, kinit, 'user'], expected_code=1) +if preauth_type_received(tracefile, 2): + fail('encrypted timestamp') + +# Make sure it doesn't offer encrypted challenge either. +realm.run_kadminl('addprinc -pw fast armor') +realm.kinit('armor', 'fast') +os.remove(tracefile) +realm.run(['env', 'KRB5_TRACE=' + tracefile, kinit, '-T', realm.ccache, + 'user'], expected_code=1) +if preauth_type_received(tracefile, 138): + fail('encrypted challenge') + +success('Key data tests') |