config root man

Current Path : /compat/linux/proc/self/root/usr/src/crypto/heimdal/tests/kdc/

FreeBSD hs32.drive.ne.jp 9.1-RELEASE FreeBSD 9.1-RELEASE #1: Wed Jan 14 12:18:08 JST 2015 root@hs32.drive.ne.jp:/sys/amd64/compile/hs32 amd64
Upload File :
Current File : //compat/linux/proc/self/root/usr/src/crypto/heimdal/tests/kdc/check-kdc.in

#!/bin/sh
#
# Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
# (Royal Institute of Technology, Stockholm, Sweden). 
# All rights reserved. 
#
# Redistribution and use in source and binary forms, with or without 
# modification, are permitted provided that the following conditions 
# are met: 
#
# 1. Redistributions of source code must retain the above copyright 
#    notice, this list of conditions and the following disclaimer. 
#
# 2. Redistributions in binary form must reproduce the above copyright 
#    notice, this list of conditions and the following disclaimer in the 
#    documentation and/or other materials provided with the distribution. 
#
# 3. Neither the name of the Institute nor the names of its contributors 
#    may be used to endorse or promote products derived from this software 
#    without specific prior written permission. 
#
# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
# ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
# SUCH DAMAGE. 
#
# $Id: check-kdc.in 22019 2007-10-24 20:47:59Z lha $
#

srcdir="@srcdir@"
objdir="@objdir@"
EGREP="@EGREP@"

testfailed="echo test failed; cat messages.log; exit 1"

# If there is no useful db support compile in, disable test
../db/have-db || exit 77

R=TEST.H5L.SE
R2=TEST2.H5L.SE

port=@port@

kadmin="${TESTS_ENVIRONMENT} ../../kadmin/kadmin -l -r $R"
kdc="${TESTS_ENVIRONMENT} ../../kdc/kdc --addresses=localhost -P $port"

server=host/datan.test.h5l.se
server2=host/computer.example.com
cache="FILE:${objdir}/cache.krb5"
ocache="FILE:${objdir}/ocache.krb5"
o2cache="FILE:${objdir}/o2cache.krb5"
icache="FILE:${objdir}/icache.krb5"
keytabfile=${objdir}/server.keytab
keytab="FILE:${keytabfile}"
ps="proxy-service@${R}"
aesenctype="aes256-cts-hmac-sha1-96"

kinit="${TESTS_ENVIRONMENT} ../../kuser/kinit -c $cache --no-afslog"
klist="${TESTS_ENVIRONMENT} ../../kuser/klist -c $cache"
kgetcred="${TESTS_ENVIRONMENT} ../../kuser/kgetcred -c $cache"
kgetcred_imp="${TESTS_ENVIRONMENT} ../../kuser/kgetcred -c $cache --out-cache=${ocache}"
kdestroy="${TESTS_ENVIRONMENT} ../../kuser/kdestroy -c $cache --no-unlog"
ktutil="${TESTS_ENVIRONMENT} ../../admin/ktutil"
hxtool="${TESTS_ENVIRONMENT} ../../lib/hx509/hxtool"
kimpersonate="${TESTS_ENVIRONMENT} ../../kuser/kimpersonate -k ${keytab} --ccache=${ocache}"
test_renew="${TESTS_ENVIRONMENT} ../../lib/krb5/test_renew"

KRB5_CONFIG="${objdir}/krb5.conf"
export KRB5_CONFIG

rm -f ${keytabfile}
rm -f current-db*
rm -f out-*
rm -f mkey.file*

> messages.log

echo Creating database
${kadmin} \
    init \
    --realm-max-ticket-life=1day \
    --realm-max-renewable-life=1month \
    ${R} || exit 1

${kadmin} \
    init \
    --realm-max-ticket-life=1day \
    --realm-max-renewable-life=1month \
    ${R2} || exit 1

${kadmin} cpw -r krbtgt/${R}@${R} || exit 1
${kadmin} cpw -r krbtgt/${R}@${R} || exit 1
${kadmin} cpw -r krbtgt/${R}@${R} || exit 1
${kadmin} cpw -r krbtgt/${R}@${R} || exit 1

${kadmin} add -p foo --use-defaults foo@${R} || exit 1
${kadmin} add -p bar --use-defaults bar@${R} || exit 1
${kadmin} add -p foo --use-defaults remove@${R} || exit 1
${kadmin} add -p kaka --use-defaults ${server}@${R} || exit 1
${kadmin} add -p kaka --use-defaults ${server}-des3@${R} || exit 1
${kadmin} add -p foo --use-defaults ${ps} || exit 1
${kadmin} modify --attributes=+trusted-for-delegation ${ps} || exit 1
${kadmin} modify --constrained-delegation=${server} ${ps} || exit 1
${kadmin} ext -k ${keytab} ${server}@${R} || exit 1
${kadmin} ext -k ${keytab} ${ps} || exit 1

${kadmin} add -p kaka --use-defaults ${server2}@${R2} || exit 1
${kadmin} ext -k ${keytab} ${server2}@${R2} || exit 1
${kadmin} add -p foo --use-defaults remove2@${R2} || exit 1

${kadmin} add -p cross1 --use-defaults krbtgt/${R2}@${R} || exit 1
${kadmin} add -p cross2 --use-defaults krbtgt/${R}@${R2} || exit 1

${kadmin} add -p foo --use-defaults -- -p || exit 1
${kadmin} delete -- -p || exit 1

echo "Doing database check"
${kadmin} check ${R} || exit 1
${kadmin} check ${R2} || exit 1

echo "Extracting enctypes"
${ktutil} -k ${keytab} list > tempfile || exit 1
${EGREP} -v '^FILE:' tempfile | ${EGREP} -v '^Vno' | ${EGREP} -v '^$' | \
    awk '$1 !~ /1/  { exit 1 }' || exit 1

${kadmin} get foo@${R} > tempfile || exit 1
enctypes=`grep Keytypes: tempfile | sed 's/(pw-salt)//g' | sed 's/,//g' | sed 's/Keytypes://'`

enctype_sans_aes=`echo $enctypes | sed 's/aes[^ ]*//g'`
enctype_sans_des3=`echo $enctypes | sed 's/des3-cbc-sha1//g'`

echo foo > ${objdir}/foopassword

echo Starting kdc
${kdc} &
kdcpid=$!

sh ${srcdir}/wait-kdc.sh
if [ "$?" != 0 ] ; then
    kill ${kdcpid}
    exit 1
fi

trap "kill ${kdcpid}; echo signal killing kdc; exit 1;" EXIT

ec=0

echo "Getting client initial tickets"; > messages.log
${kinit} --password-file=${objdir}/foopassword foo@$R || \
	{ ec=1 ; eval "${testfailed}"; }
echo "Getting tickets"; > messages.log
${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
echo "Listing tickets"; > messages.log
${klist} > /dev/null || { ec=1 ; eval "${testfailed}"; }
./ap-req ${server}@${R} ${keytab} ${cache} || \
	{ ec=1 ; eval "${testfailed}"; }
${kdestroy}

echo "Specific enctype"; > messages.log
${kinit} --password-file=${objdir}/foopassword \
    -e ${aesenctype} -e ${aesenctype} \
    foo@$R || \
	{ ec=1 ; eval "${testfailed}"; }

for a in $enctypes; do
	echo "Getting client initial tickets ($a)"; > messages.log
	${kinit} --enctype=$a --password-file=${objdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; }
	echo "Getting tickets"; > messages.log
	${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
	./ap-req ${server}@${R} ${keytab} ${cache} || { ec=1 ; eval "${testfailed}"; }
	${kdestroy}
done


echo "Getting client initial tickets"; > messages.log
${kinit} --password-file=${objdir}/foopassword foo@$R || \
	{ ec=1 ; eval "${testfailed}"; }
for a in $enctypes; do
	echo "Getting tickets ($a)"; > messages.log
	${kgetcred} -e $a ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
	./ap-req ${server}@${R} ${keytab} ${cache} || \
		{ ec=1 ; eval "${testfailed}"; }
	${kdestroy} --credential=${server}@${R}
done
${kdestroy}

echo "Getting client initial tickets for cross realm case"; > messages.log
${kinit} --password-file=${objdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; }
for a in $enctypes; do
	echo "Getting cross realm tickets ($a)"; > messages.log
	${kgetcred} -e $a ${server2}@${R2} || { ec=1 ; eval "${testfailed}"; }
	./ap-req ${server2}@${R2} ${keytab} ${cache} || \
		{ ec=1 ; eval "${testfailed}"; }
	${kdestroy} --credential=${server2}@${R2}
done
${kdestroy}

echo "try all permutations"; > messages.log
for a in $enctypes; do
	echo "Getting client initial tickets ($a)"; > messages.log
	${kinit} --enctype=$a --password-file=${objdir}/foopassword foo@$R || \
		{ ec=1 ; eval "${testfailed}"; }
	for b in $enctypes; do
		echo "Getting tickets ($a ->  $b)"; > messages.log
		${kgetcred} -e $b ${server}@${R} || \
			{ ec=1 ; eval "${testfailed}"; }
		./ap-req ${server}@${R} ${keytab} ${cache} || \
			{ ec=1 ; eval "${testfailed}"; }
		${kdestroy} --credential=${server}@${R}
	done
	${kdestroy}
done

echo "Getting server initial tickets"; > messages.log
${kinit} --keytab=${keytab} ${server}@$R || { ec=1 ; eval "${testfailed}"; }
echo "Listing tickets"; > messages.log
${klist} | grep "Principal: ${server}" > /dev/null || \
	{ ec=1 ; eval "${testfailed}"; }
${kdestroy}

echo "initial tickets for deleted user test case"; > messages.log
${kinit} --password-file=${objdir}/foopassword remove@$R || \
	{ ec=1 ; eval "${testfailed}"; }
${kadmin} delete remove@${R} || { ec=1 ; eval "${testfailed}"; }
echo "try getting ticket with deleted user"; > messages.log
${kgetcred} ${server}@${R} 2> /dev/null && { ec=1 ; eval "${testfailed}"; }
${kdestroy}

echo "cross realm case (removed user)"; > messages.log
${kinit} --password-file=${objdir}/foopassword remove2@$R2 || \
	{ ec=1 ; eval "${testfailed}"; }
${kgetcred} krbtgt/${R}@${R2} 2> /dev/null || \
	{ ec=1 ; eval "${testfailed}"; }
${kadmin} delete remove2@${R2} || exit 1
${kgetcred} ${server}@${R} 2> /dev/null || \
	{ ec=1 ; eval "${testfailed}"; }
${kdestroy}

echo "rename user"; > messages.log
${kadmin} add -p foo --use-defaults rename@${R} || exit 1
${kinit} --password-file=${objdir}/foopassword rename@${R} || \
	{ ec=1 ; eval "${testfailed}"; }
${kadmin} rename rename@${R} rename2@${R} || exit 1
${kinit} --password-file=${objdir}/foopassword rename2@${R} || \
	{ ec=1 ; eval "${testfailed}"; }
${kdestroy}
${kadmin} delete rename2@${R} || exit 1

echo "rename user to another realm"; > messages.log
${kadmin} add -p foo --use-defaults rename@${R} || exit 1
${kinit} --password-file=${objdir}/foopassword rename@${R} || \
	{ ec=1 ; eval "${testfailed}"; }
${kadmin} rename rename@${R} rename@${R2} || exit 1
${kinit} --password-file=${objdir}/foopassword rename@${R2} || \
	{ ec=1 ; eval "${testfailed}"; }
${kdestroy}
${kadmin} delete rename@${R2} || exit 1

echo deleting all but aes enctypes on krbtgt
${kadmin} del_enctype krbtgt/${R}@${R} ${enctype_sans_aes} || exit 1

echo deleting all but des enctypes on server-des3
${kadmin} del_enctype ${server}-des3@${R} ${enctype_sans_des3} || exit 1
${kadmin} ext -k ${keytab} ${server}-des3@${R} || exit 1

echo "try all permutations (only aes)"; > messages.log
for a in $enctypes; do
	echo "Getting client initial tickets ($a)"; > messages.log
	${kinit} --enctype=$a --password-file=${objdir}/foopassword foo@${R} ||\
		{ ec=1 ; eval "${testfailed}"; }
	for b in $enctypes; do
		echo "Getting tickets ($a ->  $b)"; > messages.log
		${kgetcred} -e $b ${server}@${R} || \
			{ ec=1 ; eval "${testfailed}"; }
		./ap-req ${server}@${R} ${keytab} ${cache} || \
			{ ec=1 ; eval "${testfailed}"; }

		echo "Getting tickets ($a ->  $b) (server des3 only)"; > messages.log
		${kgetcred} ${server}-des3@${R} || \
			{ ec=1 ; eval "${testfailed}"; }
		./ap-req ${server}-des3@${R} ${keytab} ${cache} || \
			{ ec=1 ; eval "${testfailed}"; }

		${kdestroy} --credential=${server}@${R}
		${kdestroy} --credential=${server}-des3@${R}
	done
	${kdestroy}
done

echo deleting all enctypes on krbtgt
${kadmin} del_enctype krbtgt/${R}@${R} aes256-cts-hmac-sha1-96 || \
	{ ec=1 ; eval "${testfailed}"; }
echo "try initial ticket w/o and keys on krbtgt"
${kinit} --password-file=${objdir}/foopassword foo@${R} 2>/dev/null && \
	{ ec=1 ; eval "${testfailed}"; }
echo "adding random aes key"
${kadmin} add_enctype -r krbtgt/${R}@${R} aes256-cts-hmac-sha1-96 || \
	{ ec=1 ; eval "${testfailed}"; }
echo "try initial ticket with random aes key on krbtgt"
${kinit} --password-file=${objdir}/foopassword foo@${R} || \
	{ ec=1 ; eval "${testfailed}"; }

rsa=yes
pkinit=no
if ${hxtool} info | grep 'rsa: hx509 null RSA' > /dev/null ; then
    rsa=no
fi
if ${hxtool} info | grep 'rand: not available' > /dev/null ; then
    rsa=no
fi
if ${kinit} --help 2>&1 | grep "CA certificates" > /dev/null; then
    pkinit=yes
fi

# If we support pkinit and have RSA, lets try that
if test "$pkinit" = yes -a "$rsa" = yes ; then

    for type in "" "--pk-use-enckey"; do
	echo "Trying pk-init (principal in certificate) $type"; > messages.log
	base="${srcdir}/../../lib/hx509/data"
	${kinit} $type -C FILE:${base}/pkinit.crt,${base}/pkinit.key bar@${R} || \
		{ ec=1 ; eval "${testfailed}"; }
	${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
	${kdestroy}

	echo "Trying pk-init (principal in pki-mapping) $type"; > messages.log
	${kinit} $type -C FILE:${base}/pkinit.crt,${base}/pkinit.key foo@${R} || \
		{ ec=1 ; eval "${testfailed}"; }
	${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
	${kdestroy}

	echo "Trying pk-init (password protected key) $type"; > messages.log
	${kinit} $type -C FILE:${base}/pkinit.crt,${base}/pkinit-pw.key --password-file=${objdir}/foopassword foo@${R} || \
		{ ec=1 ; eval "${testfailed}"; }
	${kgetcred} ${server}@${R} || \
	{ ec=1 ; eval "${testfailed}"; }
	${kdestroy}

	echo "Trying pk-init (proxy cert) $type"; > messages.log
	base="${srcdir}/../../lib/hx509/data"
	${kinit} $type -C FILE:${base}/pkinit-proxy-chain.crt,${base}/pkinit-proxy.key foo@${R} || \
		{ ec=1 ; eval "${testfailed}"; }
	${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
	${kdestroy}

    done
else
	echo "no pkinit (pkinit: $pkinit, rsa: $rsa)"; > messages.log
fi

echo "tickets for impersonate test case"; > messages.log
${kinit} --forwardable --password-file=${objdir}/foopassword ${ps} || \
	{ ec=1 ; eval "${testfailed}"; }
${kgetcred_imp} --impersonate=bar@${R} ${ps} || \
	{ ec=1 ; eval "${testfailed}"; }
./ap-req ${ps} ${keytab} ${ocache} || \
	{ ec=1 ; eval "${testfailed}"; }
${kgetcred_imp} --impersonate=bar@${R} foo@${R} 2>/dev/null && \
	{ ec=1 ; eval "${testfailed}"; }
echo test constrained delegation
${kgetcred_imp} --forward --impersonate=bar@${R} ${ps} || \
	{ ec=1 ; eval "${testfailed}"; }
${kgetcred} --out-cache=${o2cache} --delegation-credential-cache=${ocache} ${server}@${R} || \
	{ ec=1 ; eval "${testfailed}"; }
./ap-req ${server}@${R} ${keytab} ${o2cache} || \
	{ ec=1 ; eval "${testfailed}"; }
${kgetcred} --out-cache=${o2cache} --delegation-credential-cache=${ocache} bar@${R} 2>/dev/null && \
	{ ec=1 ; eval "${testfailed}"; }

echo "test constrained delegation impersonation (non forward)"; > messages.log
rm -f ocache.krb5
${kimpersonate} -s ${ps} -c bar@${R} -t ${aesenctype} || \
	{ ec=1 ; eval "${testfailed}"; }
${kgetcred} --out-cache=${o2cache} --delegation-credential-cache=${ocache} ${server}@${R} > /dev/null 2>/dev/null && \
	{ ec=1 ; eval "${testfailed}"; }

echo "test constrained delegation impersonation (missing KRB5SignedPath)"; > messages.log
rm -f ocache.krb5
${kimpersonate} -s ${ps} -c bar@${R} -t ${aesenctype} -f forwardable || \
	{ ec=1 ; eval "${testfailed}"; }
${kgetcred} --out-cache=${o2cache} --delegation-credential-cache=${ocache} ${server}@${R} > /dev/null 2>/dev/null && \
	{ ec=1 ; eval "${testfailed}"; }

${kdestroy}

echo "check renewing" > messages.log
${kinit} --renewable --password-file=${objdir}/foopassword foo@$R || \
	{ ec=1 ; eval "${testfailed}"; }
echo "kinit -R"
${kinit} -R || \
	{ ec=1 ; eval "${testfailed}"; }
echo "check renewing MIT interface" > messages.log
${kinit} --renewable --password-file=${objdir}/foopassword foo@$R || \
	{ ec=1 ; eval "${testfailed}"; }
echo "test_renew"
env KRB5CCNAME=${cache} ${test_renew} || \
	{ ec=1 ; eval "${testfailed}"; }
${kdestroy}


echo "killing kdc (${kdcpid})"
kill $kdcpid || exit 1

trap "" EXIT

exit $ec

Man Man