From ffdd6134851028a85c0cbd54689f86aa4fa7ff50 Mon Sep 17 00:00:00 2001 From: Tom Yu Date: Fri, 3 Dec 2010 12:34:53 +0000 Subject: [PATCH] Test for key rollover for TGT, including purging old keys ticket: 1219 target_version: 1.9 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24555 dc483132-0cff-0310-8789-dd5450dbe970 --- src/tests/Makefile.in | 1 + src/tests/t_keyrollover.py | 46 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 47 insertions(+) create mode 100644 src/tests/t_keyrollover.py diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in index 85a592b8d..cc3eafec5 100644 --- a/src/tests/Makefile.in +++ b/src/tests/Makefile.in @@ -65,6 +65,7 @@ check-pytests:: $(RUNPYTEST) $(srcdir)/t_anonpkinit.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_lockout.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_kadm5_hook.py $(PYTESTFLAGS) + $(RUNPYTEST) $(srcdir)/t_keyrollover.py $(PYTESTFLAGS) clean:: $(RM) kdc.conf diff --git a/src/tests/t_keyrollover.py b/src/tests/t_keyrollover.py new file mode 100644 index 000000000..4af76ae9a --- /dev/null +++ b/src/tests/t_keyrollover.py @@ -0,0 +1,46 @@ +#!/usr/bin/python +from k5test import * + +rollover_krb5_conf = {'all' : {'libdefaults' : {'allow_weak_crypto' : 'true'}}} + +realm = K5Realm(krbtgt_keysalt='des-cbc-crc:normal', + krb5_conf=rollover_krb5_conf) + +princ1 = 'host/test1@%s' % (realm.realm,) +princ2 = 'host/test2@%s' % (realm.realm,) +realm.addprinc(princ1) +realm.addprinc(princ2) + +realm.run_as_client([kvno, realm.host_princ]) + +# Change key for TGS, keeping old key. +realm.run_kadminl('cpw -randkey -e aes256-cts:normal -keepold krbtgt/%s@%s' % + (realm.realm, realm.realm)) + +# Ensure that kvno still works with an old TGT. +realm.run_as_client([kvno, princ1]) + +realm.run_kadminl('purgekeys krbtgt/%s@%s' % (realm.realm, realm.realm)) +# Make sure an old TGT fails after purging old TGS key. +realm.run_as_client([kvno, princ2], expected_code=1) +output = realm.run_as_client([klist, '-e']) + +expected = 'krbtgt/%s@%s\n\tEtype (skey, tkt): des-cbc-crc, des-cbc-crc' % \ + (realm.realm, realm.realm) + +if expected not in output: + fail('keyrollover: expected TGS enctype not found') + +# Check that new key actually works. +realm.kinit(realm.user_princ, password('user')) +realm.run_as_client([kvno, realm.host_princ]) +output = realm.run_as_client([klist, '-e']) + +expected = 'krbtgt/%s@%s\n\tEtype (skey, tkt): ' \ + 'aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96' % \ + (realm.realm, realm.realm) + +if expected not in output: + fail('keyrollover: expected TGS enctype not found after change') + +success('keyrollover') -- 2.26.2