3 # Copyright (C) 2011 by the Massachusetts Institute of Technology.
6 # Export of this software from the United States of America may
7 # require a specific license from the United States Government.
8 # It is the responsibility of any person or organization contemplating
9 # export to obtain such a license before exporting.
11 # WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
12 # distribute this software and its documentation for any purpose and
13 # without fee is hereby granted, provided that the above copyright
14 # notice appear in all copies and that both that copyright notice and
15 # this permission notice appear in supporting documentation, and that
16 # the name of M.I.T. not be used in advertising or publicity pertaining
17 # to distribution of the software without specific, written prior
18 # permission. Furthermore if you modify this software you must label
19 # your software as modified software and not distribute it in such a
20 # fashion that it might be confused with the original M.I.T. software.
21 # M.I.T. makes no representations about the suitability of
22 # this software for any purpose. It is provided "as is" without express
23 # or implied warranty.
29 # Verify the default test realm credentials with the default keytab.
30 realm.run_as_server(['./t_vfy_increds'])
31 realm.run_as_server(['./t_vfy_increds', '-n'])
33 # Verify after updating the keytab (so the keytab contains an outdated
34 # version 1 key followed by an up-to-date version 2 key).
35 realm.run_kadminl('ktadd ' + realm.host_princ)
36 realm.run_as_server(['./t_vfy_increds'])
37 realm.run_as_server(['./t_vfy_increds', '-n'])
39 # Bump the host key without updating the keytab and make sure that
40 # verification fails as we expect it to.
41 realm.run_kadminl('change_password -randkey ' + realm.host_princ)
42 realm.run_as_server(['./t_vfy_increds'], expected_code=1)
43 realm.run_as_server(['./t_vfy_increds', '-n'], expected_code=1)
45 # Simulate a system where the hostname has changed and the keytab
46 # contains host service principals with a hostname that no longer
47 # matches. Verify after updating the keytab with a host service
48 # principal that has hostname that doesn't match the host running the
49 # test. Verify should succeed, with or without nofail.
50 realm.run_kadminl('addprinc -randkey host/wrong.hostname')
51 realm.run_kadminl('ktadd host/wrong.hostname')
52 realm.run_as_server(['./t_vfy_increds'])
53 realm.run_as_server(['./t_vfy_increds', '-n'])
55 # Remove the keytab and verify again. This should succeed if nofail
56 # is not set, and fail if it is set.
57 os.remove(realm.keytab)
58 realm.run_as_server(['./t_vfy_increds'])
59 realm.run_as_server(['./t_vfy_increds', '-n'], expected_code=1)
61 # Create an empty keytab file and verify again. This simulates a
62 # system where an admin ran "touch krb5.keytab" to work around a
63 # Solaris Kerberos bug where krb5_kt_default() fails if the keytab
64 # file doesn't exist. Verification should succeed in nofail is not
65 # set. (An empty keytab file appears as corrupt to keytab calls,
66 # causing a KRB5_KEYTAB_BADVNO error, so any tightening of the
67 # krb5_verify_init_creds semantics needs to take this into account.)
68 open(realm.keytab, 'w').close()
69 realm.run_as_server(['./t_vfy_increds'])
70 realm.run_as_server(['./t_vfy_increds', '-n'], expected_code=1)
71 os.remove(realm.keytab)
73 # Add an NFS service principal to keytab. Verify should ignore it by
74 # default (succeeding unless nofail is set), but should verify with it
75 # when it is specifically requested.
76 realm.run_kadminl('addprinc -randkey ' + realm.nfs_princ)
77 realm.run_kadminl('ktadd ' + realm.nfs_princ)
78 realm.run_as_server(['./t_vfy_increds'])
79 realm.run_as_server(['./t_vfy_increds', '-n'], expected_code=1)
80 realm.run_as_server(['./t_vfy_increds', realm.nfs_princ])
81 realm.run_as_server(['./t_vfy_increds', '-n', realm.nfs_princ])
83 # Invalidating the NFS keys in the keytab. We should get the same
84 # results with the default principal argument, but verification should
85 # now fail if we request it specifically.
86 realm.run_kadminl('change_password -randkey ' + realm.nfs_princ)
87 realm.run_as_server(['./t_vfy_increds'])
88 realm.run_as_server(['./t_vfy_increds', '-n'], expected_code=1)
89 realm.run_as_server(['./t_vfy_increds', realm.nfs_princ], expected_code=1)
90 realm.run_as_server(['./t_vfy_increds', '-n', realm.nfs_princ],
93 # Spot-check that verify_ap_req_nofail works equivalently to the
94 # programmatic nofail option.
96 conf = { 'server' : { 'libdefaults' : { 'verify_ap_req_nofail' : 'true' } } }
97 realm = K5Realm(krb5_conf=conf)
98 os.remove(realm.keytab)
99 realm.run_as_server(['./t_vfy_increds'], expected_code=1)
101 success('krb5_verify_init_creds tests')