1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
|
#!/usr/bin/python
# Copyright (C) 2010,2012 by the Massachusetts Institute of Technology.
# All rights reserved.
#
# Export of this software from the United States of America may
# require a specific license from the United States Government.
# It is the responsibility of any person or organization contemplating
# export to obtain such a license before exporting.
#
# WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
# distribute this software and its documentation for any purpose and
# without fee is hereby granted, provided that the above copyright
# notice appear in all copies and that both that copyright notice and
# this permission notice appear in supporting documentation, and that
# the name of M.I.T. not be used in advertising or publicity pertaining
# to distribution of the software without specific, written prior
# permission. Furthermore if you modify this software you must label
# your software as modified software and not distribute it in such a
# fashion that it might be confused with the original M.I.T. software.
# M.I.T. makes no representations about the suitability of
# this software for any purpose. It is provided "as is" without express
# or implied warranty.
from k5test import *
# Create a bare-bones KDC.
realm = K5Realm(create_user=False, create_host=False)
# Create principals with various password expirations.
realm.run_kadminl('addprinc -pw pass nopreauth')
realm.run_kadminl('addprinc -pw pass +requires_preauth preauth')
# Check that we can get creds without preauth without an in_ccache. This is
# the default behavior for kinit.
realm.run(['./t_in_ccache', 'nopreauth', 'pass'])
# Check that we can get creds with preauth without an in_ccache. This is the
# default behavior for kinit.
realm.run(['./t_in_ccache', 'preauth', 'pass'])
# Check that we can get creds while supplying a now-populated input ccache that
# doesn't contain any relevant configuration.
realm.run(['./t_in_ccache', 'nopreauth', 'pass'])
realm.run(['./t_in_ccache', '-I', realm.ccache, 'preauth', 'pass'])
# Check that we can get creds while supplying a now-populated input ccache.
realm.run(['./t_in_ccache', 'preauth', 'pass'])
realm.run(['./t_in_ccache', '-I', realm.ccache, 'preauth', 'pass'])
# Check that we can't get creds while specifying patypes that aren't available
# in a FAST tunnel while using a FAST tunnel. Expect the client-end
# preauth-failed error.
realm.run(['./t_in_ccache', 'nopreauth', 'pass'])
realm.run(['./t_cc_config', '-p', realm.krbtgt_princ, 'pa_type', '2'])
realm.run(['./t_in_ccache', '-A', realm.ccache, '-I', realm.ccache,
'preauth', 'pass'], expected_code=210)
# Check that we can't get creds while specifying patypes that are only
# available in a FAST tunnel while not using a FAST tunnel. Expect the
# client-end preauth-failed error.
realm.run(['./t_in_ccache', 'nopreauth', 'pass'])
realm.run(['./t_cc_config', '-p', realm.krbtgt_princ, 'pa_type', '138'])
realm.run(['./t_in_ccache', '-I', realm.ccache, 'preauth', 'pass'],
expected_code=210)
# Check that we can get creds using FAST, and that we end up using
# encrypted_challenge when we do.
realm.run(['./t_in_ccache', 'preauth', 'pass'])
realm.run(['./t_cc_config', '-p', realm.krbtgt_princ, 'pa_type', '138'])
realm.run(['./t_in_ccache', '-A', realm.ccache, 'preauth', 'pass'])
output = realm.run(['./t_cc_config', '-p', realm.krbtgt_princ, 'pa_type'])
# We should have selected and used encrypted_challenge.
if output != '138':
fail('Unexpected pa_type value in out_ccache: "%s"' % output)
# Check that we can get creds while specifying the right patypes.
realm.run(['./t_in_ccache', 'nopreauth', 'pass'])
realm.run(['./t_cc_config', '-p', realm.krbtgt_princ, 'pa_type', '2'])
realm.run(['./t_in_ccache', '-I', realm.ccache, 'preauth', 'pass'])
output = realm.run(['./t_cc_config', '-p', realm.krbtgt_princ, 'pa_type'])
# We should have selected and used encrypted_timestamp.
if output != '2':
fail('Unexpected pa_type value in out_ccache')
success('input ccache pa_type tests')
|
