4 rollover_krb5_conf = {'libdefaults': {'allow_weak_crypto': 'true'}}
6 realm = K5Realm(krbtgt_keysalt='des-cbc-crc:normal',
7 krb5_conf=rollover_krb5_conf)
9 princ1 = 'host/test1@%s' % (realm.realm,)
10 princ2 = 'host/test2@%s' % (realm.realm,)
11 realm.addprinc(princ1)
12 realm.addprinc(princ2)
14 realm.run([kvno, realm.host_princ])
16 # Change key for TGS, keeping old key.
17 realm.run([kadminl, 'cpw', '-randkey', '-e', 'aes256-cts', '-keepold',
20 # Ensure that kvno still works with an old TGT.
21 realm.run([kvno, princ1])
23 realm.run([kadminl, 'purgekeys', realm.krbtgt_princ])
24 # Make sure an old TGT fails after purging old TGS key.
25 realm.run([kvno, princ2], expected_code=1)
26 output = realm.run([klist, '-e'])
28 expected = 'krbtgt/%s@%s\n\tEtype (skey, tkt): des-cbc-crc, des-cbc-crc' % \
29 (realm.realm, realm.realm)
31 if expected not in output:
32 fail('keyrollover: expected TGS enctype not found')
34 # Check that new key actually works.
35 realm.kinit(realm.user_princ, password('user'))
36 realm.run([kvno, realm.host_princ])
37 output = realm.run([klist, '-e'])
39 expected = 'krbtgt/%s@%s\n\tEtype (skey, tkt): ' \
40 'aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96' % \
41 (realm.realm, realm.realm)
43 if expected not in output:
44 fail('keyrollover: expected TGS enctype not found after change')
46 # Test that the KDC only accepts the first enctype for a kvno, for a
47 # local-realm TGS request. To set this up, we abuse an edge-case
48 # behavior of modprinc -kvno. First, set up a DES3 krbtgt entry at
49 # kvno 1 and cache a krbtgt ticket.
50 realm.run([kadminl, 'cpw', '-randkey', '-e', 'des3-cbc-sha1',
52 realm.run([kadminl, 'modprinc', '-kvno', '1', realm.krbtgt_princ])
53 realm.kinit(realm.user_princ, password('user'))
54 # Add an AES krbtgt entry at kvno 2, and then reset it to kvno 1
55 # (modprinc -kvno sets the kvno on all entries without deleting any).
56 realm.run([kadminl, 'cpw', '-randkey', '-keepold', '-e', 'aes256-cts',
58 realm.run([kadminl, 'modprinc', '-kvno', '1', realm.krbtgt_princ])
59 out = realm.run([kadminl, 'getprinc', realm.krbtgt_princ])
60 if 'vno 1, aes256' not in out or 'vno 1, des3' not in out:
61 fail('keyrollover: setup for TGS enctype test failed')
62 # Now present the DES3 ticket to the KDC and make sure it's rejected.
63 realm.run([kvno, realm.host_princ], expected_code=1)
67 # Test a cross-realm TGT key rollover scenario where realm 1 mimics
68 # the Active Directory behavior of always using kvno 0 when issuing
69 # cross-realm TGTs. The first kvno invocation caches a cross-realm
70 # TGT with the old key, and the second kvno invocation sends it to
71 # r2's KDC with no kvno to identify it, forcing the KDC to try
73 r1, r2 = cross_realms(2)
74 crosstgt_princ = 'krbtgt/%s@%s' % (r2.realm, r1.realm)
75 r1.run([kadminl, 'modprinc', '-kvno', '0', crosstgt_princ])
76 r1.run([kvno, r2.host_princ])
77 r2.run([kadminl, 'cpw', '-pw', 'newcross', '-keepold', crosstgt_princ])
78 r1.run([kadminl, 'cpw', '-pw', 'newcross', crosstgt_princ])
79 r1.run([kadminl, 'modprinc', '-kvno', '0', crosstgt_princ])
80 r1.run([kvno, r2.user_princ])
82 success('keyrollover')