1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126
|
#!/usr/bin/python
from k5test import *
conf = {'realms': {'$realm': {'supported_enctypes': 'aes256-cts aes128-cts'}}}
realm = K5Realm(create_host=False, kdc_conf=conf)
# Define some server principal names.
princ1 = 'host/1@%s' % realm.realm
princ2 = 'host/2@%s' % realm.realm
princ3 = 'HTTP/3@%s' % realm.realm
princ4 = 'HTTP/4@%s' % realm.realm
matchprinc = 'host/@'
nomatchprinc = 'x/@'
realm.addprinc(princ1)
realm.addprinc(princ2)
realm.addprinc(princ3)
def test(tserver, server, expected):
args = ['./rdreq', tserver]
if server is not None:
args += [server]
out = realm.run(args)
if out.strip() != expected:
fail('unexpected rdreq output')
# No keytab present.
nokeytab_err = "45 Key table file '%s' not found" % realm.keytab
test(princ1, None, nokeytab_err)
test(princ1, princ1, nokeytab_err)
test(princ1, matchprinc, nokeytab_err)
# Keytab present, successful decryption.
realm.extract_keytab(princ1, realm.keytab)
test(princ1, None, '0 success')
test(princ1, princ1, '0 success')
test(princ1, matchprinc, '0 success')
# Explicit server principal not found in keytab.
test(princ2, princ2, '45 No key table entry found for host/2@KRBTEST.COM')
# Matching server principal does not match any entries in keytab (with
# and without ticket server present in keytab).
nomatch_err = '45 Server principal x/@ does not match any keys in keytab'
test(princ1, nomatchprinc, nomatch_err)
test(princ2, nomatchprinc, nomatch_err)
# Ticket server does not match explicit server principal (with and
# without ticket server present in keytab).
test(princ1, princ2, '45 No key table entry found for host/2@KRBTEST.COM')
test(princ2, princ1,
'35 Cannot decrypt ticket for host/2@KRBTEST.COM using keytab key for '
'host/1@KRBTEST.COM')
# Ticket server not found in keytab during iteration.
test(princ2, None,
'35 Request ticket server host/2@KRBTEST.COM not found in keytab '
'(ticket kvno 1)')
# Ticket server found in keytab but is not matched by server principal
# (but other principals in keytab do match).
realm.extract_keytab(princ3, realm.keytab)
test(princ3, matchprinc,
'35 Request ticket server HTTP/3@KRBTEST.COM found in keytab but does '
'not match server principal host/@')
# Service ticket is out of date.
os.remove(realm.keytab)
realm.run([kadminl, 'ktadd', princ1])
test(princ1, None,
'44 Request ticket server host/1@KRBTEST.COM kvno 1 not found in keytab; '
'ticket is likely out of date')
test(princ1, princ1,
'44 Cannot find key for host/1@KRBTEST.COM kvno 1 in keytab')
# kvno mismatch due to ticket principal mismatch with explicit server.
test(princ2, princ1,
'35 Cannot find key for host/1@KRBTEST.COM kvno 1 in keytab (request '
'ticket server host/2@KRBTEST.COM)')
# Keytab is out of date.
realm.run([kadminl, 'cpw', '-randkey', princ1])
realm.kinit(realm.user_princ, password('user'))
test(princ1, None,
'44 Request ticket server host/1@KRBTEST.COM kvno 3 not found in keytab; '
'keytab is likely out of date')
test(princ1, princ1,
'44 Cannot find key for host/1@KRBTEST.COM kvno 3 in keytab')
# Ticket server and kvno found but not with ticket enctype.
os.remove(realm.keytab)
realm.extract_keytab(princ1, realm.keytab)
pkeytab = realm.keytab + '.partial'
realm.run([ktutil], input=('rkt %s\ndelent 1\nwkt %s\n' %
(realm.keytab, pkeytab)))
os.rename(pkeytab, realm.keytab)
realm.run([klist, '-ke'])
test(princ1, None,
'44 Request ticket server host/1@KRBTEST.COM kvno 3 found in keytab but '
'not with enctype aes256-cts')
# This is a bad code (KRB_AP_ERR_NOKEY) and message, because
# krb5_kt_get_entry returns the same result for this and not finding
# the principal at all. But it's an uncommon case; GSSAPI apps
# usually use a matching principal and missing key enctypes are rare.
test(princ1, princ1, '45 No key table entry found for host/1@KRBTEST.COM')
# Ticket server, kvno, and enctype matched, but key does not work.
realm.run([kadminl, 'cpw', '-randkey', princ1])
realm.run([kadminl, 'modprinc', '-kvno', '3', princ1])
os.remove(realm.keytab)
realm.extract_keytab(princ1, realm.keytab)
test(princ1, None,
'31 Request ticket server host/1@KRBTEST.COM kvno 3 enctype aes256-cts '
'found in keytab but cannot decrypt ticket')
test(princ1, princ1,
'31 Cannot decrypt ticket for host/1@KRBTEST.COM using keytab key for '
'host/1@KRBTEST.COM')
# Test that aliases work. The ticket server (princ4) isn't present in
# keytab, but there is a usable princ1 entry with the same key.
realm.run([kadminl, 'renprinc', princ1, princ4])
test(princ4, None, '0 success')
test(princ4, princ1, '0 success')
test(princ4, matchprinc, '0 success')
success('krb5_rd_req tests')
|