From: Greg Hudson Date: Tue, 17 Apr 2012 03:19:12 +0000 (+0000) Subject: Add clock skew tests X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=8d689cea3561d5912db218a4fdf9bdf3c1c6d3b0;p=krb5.git Add clock skew tests Add a KDC option (-T) to run with a time offset, and use that to test kdc_timesync behavior. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25807 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/doc/rst_source/krb_admins/admin_commands/krb5kdc.rst b/doc/rst_source/krb_admins/admin_commands/krb5kdc.rst index 6ed7ea954..62afca4ee 100644 --- a/doc/rst_source/krb_admins/admin_commands/krb5kdc.rst +++ b/doc/rst_source/krb_admins/admin_commands/krb5kdc.rst @@ -17,6 +17,7 @@ SYNOPSIS [**-n**] [**-w** *numworkers*] [**-P** *pid_file*] +[**-T** *time_offset*] DESCRIPTION @@ -99,6 +100,8 @@ Options supported for the LDAP database module are: password using the **stashsrvpw** command of :ref:`kdb5_ldap_util(8)`. +The **-T** *offset* option specifies a time offset, in seconds, which +the KDC will operate under. It is intended only for testing purposes. EXAMPLE ------- diff --git a/src/kdc/main.c b/src/kdc/main.c index c2c3e4e0e..5b31bd3cd 100644 --- a/src/kdc/main.c +++ b/src/kdc/main.c @@ -86,6 +86,7 @@ static void finish_realms (void); static int nofork = 0; static int workers = 0; +static int time_offset = 0; static const char *pid_file = NULL; static int rkey_init_done = 0; static volatile int signal_received = 0; @@ -293,6 +294,8 @@ init_realm(kdc_realm_t *rdp, char *realm, char *def_mpname, kdc_err(NULL, kret, _("while getting context for realm %s"), realm); goto whoops; } + if (time_offset != 0) + (void)krb5_set_time_offsets(rdp->realm_context, time_offset, 0); kret = krb5_read_realm_params(rdp->realm_context, rdp->realm_name, &rparams); @@ -733,7 +736,7 @@ initialize_realms(krb5_context kcontext, int argc, char **argv) * Loop through the option list. Each time we encounter a realm name, * use the previously scanned options to fill in for defaults. */ - while ((c = getopt(argc, argv, "x:r:d:mM:k:R:e:P:p:s:nw:4:X3")) != -1) { + while ((c = getopt(argc, argv, "x:r:d:mM:k:R:e:P:p:s:nw:4:T:X3")) != -1) { switch(c) { case 'x': db_args_size++; @@ -845,6 +848,9 @@ initialize_realms(krb5_context kcontext, int argc, char **argv) default_tcp_ports = strdup(optarg); #endif break; + case 'T': + time_offset = atoi(optarg); + break; case '4': break; case 'X': diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in index b5bcdf01c..47ca131ec 100644 --- a/src/tests/Makefile.in +++ b/src/tests/Makefile.in @@ -71,6 +71,7 @@ check-pytests:: $(RUNPYTEST) $(srcdir)/t_cccol.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_stringattr.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_crossrealm.py $(PYTESTFLAGS) + $(RUNPYTEST) $(srcdir)/t_skew.py $(PYTESTFLAGS) # $(RUNPYTEST) $(srcdir)/kdc_realm/kdcref.py $(PYTESTFLAGS) clean:: diff --git a/src/tests/t_skew.py b/src/tests/t_skew.py new file mode 100644 index 000000000..f00c2f920 --- /dev/null +++ b/src/tests/t_skew.py @@ -0,0 +1,38 @@ +#!/usr/bin/python +from k5test import * + +# Create a realm with the KDC one hour in the past. +realm = K5Realm(start_kadmind=False, start_kdc=False) +realm.start_kdc(['-T', '-3600']) + +# kinit (no preauth) should work, and should set a clock skew allowing +# kvno to work, with or without FAST. +realm.kinit(realm.user_princ, password('user')) +realm.run_as_client([kvno, realm.host_princ]) +realm.kinit(realm.user_princ, password('user'), flags=['-T', realm.ccache]) +realm.run_as_client([kvno, realm.host_princ]) +realm.run_as_client([kdestroy]) + +# kinit (with preauth) should fail. +realm.run_kadminl('modprinc +requires_preauth user') +realm.kinit(realm.user_princ, password('user'), expected_code=1) + +realm.stop() + +# Repeat the above tests with kdc_timesync disabled. +conf = {'all': {'libdefaults': {'kdc_timesync': '0'}}} +realm = K5Realm(start_kadmind=False, start_kdc=False, krb5_conf=conf) +realm.start_kdc(['-T', '-3600']) + +# kinit (no preauth) should work, but kvno should not. kinit with +# FAST should also fail since the armor AP-REQ won't be valid. +realm.kinit(realm.user_princ, password('user')) +realm.run_as_client([kvno, realm.host_princ], expected_code=1) +realm.kinit(realm.user_princ, password('user'), flags=['-T', realm.ccache], + expected_code=1) + +# kinit (with preauth) should fail. +realm.run_kadminl('modprinc +requires_preauth user') +realm.kinit(realm.user_princ, password('user'), expected_code=1) + +success('Clock skew tests')