1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
|
#!/usr/bin/python
# Copyright (C) 2011 by the Massachusetts Institute of Technology.
# All rights reserved.
#
# Export of this software from the United States of America may
# require a specific license from the United States Government.
# It is the responsibility of any person or organization contemplating
# export to obtain such a license before exporting.
#
# WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
# distribute this software and its documentation for any purpose and
# without fee is hereby granted, provided that the above copyright
# notice appear in all copies and that both that copyright notice and
# this permission notice appear in supporting documentation, and that
# the name of M.I.T. not be used in advertising or publicity pertaining
# to distribution of the software without specific, written prior
# permission. Furthermore if you modify this software you must label
# your software as modified software and not distribute it in such a
# fashion that it might be confused with the original M.I.T. software.
# M.I.T. makes no representations about the suitability of
# this software for any purpose. It is provided "as is" without express
# or implied warranty.
from k5test import *
realm = K5Realm()
# Verify the default test realm credentials with the default keytab.
realm.run(['./t_vfy_increds'])
realm.run(['./t_vfy_increds', '-n'])
# Verify after updating the keytab (so the keytab contains an outdated
# version 1 key followed by an up-to-date version 2 key).
realm.run_kadminl('ktadd ' + realm.host_princ)
realm.run(['./t_vfy_increds'])
realm.run(['./t_vfy_increds', '-n'])
# Bump the host key without updating the keytab and make sure that
# verification fails as we expect it to.
realm.run_kadminl('change_password -randkey ' + realm.host_princ)
realm.run(['./t_vfy_increds'], expected_code=1)
realm.run(['./t_vfy_increds', '-n'], expected_code=1)
# Simulate a system where the hostname has changed and the keytab
# contains host service principals with a hostname that no longer
# matches. Verify after updating the keytab with a host service
# principal that has hostname that doesn't match the host running the
# test. Verify should succeed, with or without nofail.
realm.run_kadminl('addprinc -randkey host/wrong.hostname')
realm.run_kadminl('ktadd host/wrong.hostname')
realm.run(['./t_vfy_increds'])
realm.run(['./t_vfy_increds', '-n'])
# Remove the keytab and verify again. This should succeed if nofail
# is not set, and fail if it is set.
os.remove(realm.keytab)
realm.run(['./t_vfy_increds'])
realm.run(['./t_vfy_increds', '-n'], expected_code=1)
# Create an empty keytab file and verify again. This simulates a
# system where an admin ran "touch krb5.keytab" to work around a
# Solaris Kerberos bug where krb5_kt_default() fails if the keytab
# file doesn't exist. Verification should succeed in nofail is not
# set. (An empty keytab file appears as corrupt to keytab calls,
# causing a KRB5_KEYTAB_BADVNO error, so any tightening of the
# krb5_verify_init_creds semantics needs to take this into account.)
open(realm.keytab, 'w').close()
realm.run(['./t_vfy_increds'])
realm.run(['./t_vfy_increds', '-n'], expected_code=1)
os.remove(realm.keytab)
# Add an NFS service principal to keytab. Verify should ignore it by
# default (succeeding unless nofail is set), but should verify with it
# when it is specifically requested.
realm.run_kadminl('addprinc -randkey ' + realm.nfs_princ)
realm.run_kadminl('ktadd ' + realm.nfs_princ)
realm.run(['./t_vfy_increds'])
realm.run(['./t_vfy_increds', '-n'], expected_code=1)
realm.run(['./t_vfy_increds', realm.nfs_princ])
realm.run(['./t_vfy_increds', '-n', realm.nfs_princ])
# Invalidating the NFS keys in the keytab. We should get the same
# results with the default principal argument, but verification should
# now fail if we request it specifically.
realm.run_kadminl('change_password -randkey ' + realm.nfs_princ)
realm.run(['./t_vfy_increds'])
realm.run(['./t_vfy_increds', '-n'], expected_code=1)
realm.run(['./t_vfy_increds', realm.nfs_princ], expected_code=1)
realm.run(['./t_vfy_increds', '-n', realm.nfs_princ], expected_code=1)
# Spot-check that verify_ap_req_nofail works equivalently to the
# programmatic nofail option.
realm.stop()
conf = {'libdefaults': {'verify_ap_req_nofail': 'true'}}
realm = K5Realm(krb5_conf=conf)
os.remove(realm.keytab)
realm.run(['./t_vfy_increds'], expected_code=1)
success('krb5_verify_init_creds tests')
|
