diff options
author | Tom Yu <tlyu@mit.edu> | 2010-12-03 18:47:59 +0000 |
---|---|---|
committer | Tom Yu <tlyu@mit.edu> | 2010-12-03 18:47:59 +0000 |
commit | b699884aaa23269a5c439b21ffa88ab36579fd1c (patch) | |
tree | f9b80a88cd3d86b603d3b0f9d7af7d594b932478 | |
parent | 8add89fab438938f206bd0e4d039242786eaca91 (diff) | |
download | krb5-b699884aaa23269a5c439b21ffa88ab36579fd1c.zip krb5-b699884aaa23269a5c439b21ffa88ab36579fd1c.tar.gz krb5-b699884aaa23269a5c439b21ffa88ab36579fd1c.tar.bz2 |
pull up r24555 from trunk
------------------------------------------------------------------------
r24555 | tlyu | 2010-12-03 07:34:53 -0500 (Fri, 03 Dec 2010) | 6 lines
ticket: 1219
target_version: 1.9
tags: pullup
Test for key rollover for TGT, including purging old keys.
ticket: 1219
version_fixed: 1.9
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24556 dc483132-0cff-0310-8789-dd5450dbe970
-rw-r--r-- | src/tests/Makefile.in | 1 | ||||
-rw-r--r-- | src/tests/t_keyrollover.py | 46 |
2 files changed, 47 insertions, 0 deletions
diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in index 85a592b..cc3eafe 100644 --- a/src/tests/Makefile.in +++ b/src/tests/Makefile.in @@ -65,6 +65,7 @@ check-pytests:: $(RUNPYTEST) $(srcdir)/t_anonpkinit.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_lockout.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_kadm5_hook.py $(PYTESTFLAGS) + $(RUNPYTEST) $(srcdir)/t_keyrollover.py $(PYTESTFLAGS) clean:: $(RM) kdc.conf diff --git a/src/tests/t_keyrollover.py b/src/tests/t_keyrollover.py new file mode 100644 index 0000000..4af76ae --- /dev/null +++ b/src/tests/t_keyrollover.py @@ -0,0 +1,46 @@ +#!/usr/bin/python +from k5test import * + +rollover_krb5_conf = {'all' : {'libdefaults' : {'allow_weak_crypto' : 'true'}}} + +realm = K5Realm(krbtgt_keysalt='des-cbc-crc:normal', + krb5_conf=rollover_krb5_conf) + +princ1 = 'host/test1@%s' % (realm.realm,) +princ2 = 'host/test2@%s' % (realm.realm,) +realm.addprinc(princ1) +realm.addprinc(princ2) + +realm.run_as_client([kvno, realm.host_princ]) + +# Change key for TGS, keeping old key. +realm.run_kadminl('cpw -randkey -e aes256-cts:normal -keepold krbtgt/%s@%s' % + (realm.realm, realm.realm)) + +# Ensure that kvno still works with an old TGT. +realm.run_as_client([kvno, princ1]) + +realm.run_kadminl('purgekeys krbtgt/%s@%s' % (realm.realm, realm.realm)) +# Make sure an old TGT fails after purging old TGS key. +realm.run_as_client([kvno, princ2], expected_code=1) +output = realm.run_as_client([klist, '-e']) + +expected = 'krbtgt/%s@%s\n\tEtype (skey, tkt): des-cbc-crc, des-cbc-crc' % \ + (realm.realm, realm.realm) + +if expected not in output: + fail('keyrollover: expected TGS enctype not found') + +# Check that new key actually works. +realm.kinit(realm.user_princ, password('user')) +realm.run_as_client([kvno, realm.host_princ]) +output = realm.run_as_client([klist, '-e']) + +expected = 'krbtgt/%s@%s\n\tEtype (skey, tkt): ' \ + 'aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96' % \ + (realm.realm, realm.realm) + +if expected not in output: + fail('keyrollover: expected TGS enctype not found after change') + +success('keyrollover') |