From: Tom Yu Date: Fri, 3 Dec 2010 18:47:59 +0000 (+0000) Subject: pull up r24555 from trunk X-Git-Tag: krb5-1.9-beta2~2 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=b699884aaa23269a5c439b21ffa88ab36579fd1c;p=krb5.git pull up r24555 from trunk ------------------------------------------------------------------------ r24555 | tlyu | 2010-12-03 07:34:53 -0500 (Fri, 03 Dec 2010) | 6 lines ticket: 1219 target_version: 1.9 tags: pullup Test for key rollover for TGT, including purging old keys. ticket: 1219 version_fixed: 1.9 status: resolved git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24556 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in index 85a592b8d..cc3eafec5 100644 --- a/src/tests/Makefile.in +++ b/src/tests/Makefile.in @@ -65,6 +65,7 @@ check-pytests:: $(RUNPYTEST) $(srcdir)/t_anonpkinit.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_lockout.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_kadm5_hook.py $(PYTESTFLAGS) + $(RUNPYTEST) $(srcdir)/t_keyrollover.py $(PYTESTFLAGS) clean:: $(RM) kdc.conf diff --git a/src/tests/t_keyrollover.py b/src/tests/t_keyrollover.py new file mode 100644 index 000000000..4af76ae9a --- /dev/null +++ b/src/tests/t_keyrollover.py @@ -0,0 +1,46 @@ +#!/usr/bin/python +from k5test import * + +rollover_krb5_conf = {'all' : {'libdefaults' : {'allow_weak_crypto' : 'true'}}} + +realm = K5Realm(krbtgt_keysalt='des-cbc-crc:normal', + krb5_conf=rollover_krb5_conf) + +princ1 = 'host/test1@%s' % (realm.realm,) +princ2 = 'host/test2@%s' % (realm.realm,) +realm.addprinc(princ1) +realm.addprinc(princ2) + +realm.run_as_client([kvno, realm.host_princ]) + +# Change key for TGS, keeping old key. +realm.run_kadminl('cpw -randkey -e aes256-cts:normal -keepold krbtgt/%s@%s' % + (realm.realm, realm.realm)) + +# Ensure that kvno still works with an old TGT. +realm.run_as_client([kvno, princ1]) + +realm.run_kadminl('purgekeys krbtgt/%s@%s' % (realm.realm, realm.realm)) +# Make sure an old TGT fails after purging old TGS key. +realm.run_as_client([kvno, princ2], expected_code=1) +output = realm.run_as_client([klist, '-e']) + +expected = 'krbtgt/%s@%s\n\tEtype (skey, tkt): des-cbc-crc, des-cbc-crc' % \ + (realm.realm, realm.realm) + +if expected not in output: + fail('keyrollover: expected TGS enctype not found') + +# Check that new key actually works. +realm.kinit(realm.user_princ, password('user')) +realm.run_as_client([kvno, realm.host_princ]) +output = realm.run_as_client([klist, '-e']) + +expected = 'krbtgt/%s@%s\n\tEtype (skey, tkt): ' \ + 'aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96' % \ + (realm.realm, realm.realm) + +if expected not in output: + fail('keyrollover: expected TGS enctype not found after change') + +success('keyrollover')