4 realm = K5Realm(create_host=False, start_kadmind=True)
6 # Test password quality enforcement.
7 mark('password quality')
8 realm.run([kadminl, 'addpol', '-minlength', '6', '-minclasses', '2', 'pwpol'])
9 realm.run([kadminl, 'addprinc', '-randkey', '-policy', 'pwpol', 'pwuser'])
10 realm.run([kadminl, 'cpw', '-pw', 'sh0rt', 'pwuser'], expected_code=1,
11 expected_msg='Password is too short')
12 realm.run([kadminl, 'cpw', '-pw', 'longenough', 'pwuser'], expected_code=1,
13 expected_msg='Password does not contain enough character classes')
14 realm.run([kadminl, 'cpw', '-pw', 'l0ngenough', 'pwuser'])
16 # Test some password history enforcement. Even with no history value,
17 # the current password should be denied.
18 mark('password history')
19 realm.run([kadminl, 'cpw', '-pw', 'l0ngenough', 'pwuser'], expected_code=1,
20 expected_msg='Cannot reuse password')
21 realm.run([kadminl, 'modpol', '-history', '2', 'pwpol'])
22 realm.run([kadminl, 'cpw', '-pw', 'an0therpw', 'pwuser'])
23 realm.run([kadminl, 'cpw', '-pw', 'l0ngenough', 'pwuser'], expected_code=1,
24 expected_msg='Cannot reuse password')
25 realm.run([kadminl, 'cpw', '-pw', '3rdpassword', 'pwuser'])
26 realm.run([kadminl, 'cpw', '-pw', 'l0ngenough', 'pwuser'])
28 # Test references to nonexistent policies.
29 mark('nonexistent policy references')
30 realm.run([kadminl, 'addprinc', '-randkey', '-policy', 'newpol', 'newuser'])
31 realm.run([kadminl, 'getprinc', 'newuser'],
32 expected_msg='Policy: newpol [does not exist]\n')
33 realm.run([kadminl, 'modprinc', '-policy', 'newpol', 'pwuser'])
34 # pwuser should allow reuse of the current password since newpol doesn't exist.
35 realm.run([kadminl, 'cpw', '-pw', '3rdpassword', 'pwuser'])
36 # Regression test for #8427 (min_life check with nonexistent policy).
37 realm.run([kadmin, '-p', 'pwuser', '-w', '3rdpassword', 'cpw', '-pw',
38 '3rdpassword', 'pwuser'])
40 # Create newpol and verify that it is enforced.
41 mark('create referenced policy')
42 realm.run([kadminl, 'addpol', '-minlength', '3', 'newpol'])
43 realm.run([kadminl, 'getprinc', 'pwuser'], expected_msg='Policy: newpol\n')
44 realm.run([kadminl, 'cpw', '-pw', 'aa', 'pwuser'], expected_code=1,
45 expected_msg='Password is too short')
46 realm.run([kadminl, 'cpw', '-pw', '3rdpassword', 'pwuser'], expected_code=1,
47 expected_msg='Cannot reuse password')
49 realm.run([kadminl, 'getprinc', 'newuser'], expected_msg='Policy: newpol\n')
50 realm.run([kadminl, 'cpw', '-pw', 'aa', 'newuser'], expected_code=1,
51 expected_msg='Password is too short')
53 # Delete the policy and verify that it is no longer enforced.
54 mark('delete referenced policy')
55 realm.run([kadminl, 'delpol', 'newpol'])
56 realm.run([kadminl, 'getpol', 'newpol'], expected_code=1,
57 expected_msg='Policy does not exist')
58 realm.run([kadminl, 'cpw', '-pw', 'aa', 'pwuser'])
60 # Test basic password lockout support.
61 mark('password lockout')
63 for realm in multidb_realms(create_host=False):
64 realm.run([kadminl, 'addpol', '-maxfailure', '2', '-failurecountinterval',
66 realm.run([kadminl, 'modprinc', '+requires_preauth', '-policy', 'lockout',
69 # kinit twice with the wrong password.
70 msg = 'Password incorrect while getting initial credentials'
71 realm.run([kinit, realm.user_princ], input='wrong\n', expected_code=1,
73 realm.run([kinit, realm.user_princ], input='wrong\n', expected_code=1,
76 # Now the account should be locked out.
77 msg = 'credentials have been revoked while getting initial credentials'
78 realm.run([kinit, realm.user_princ], expected_code=1, expected_msg=msg)
80 # Check that modprinc -unlock allows a further attempt.
81 realm.run([kadminl, 'modprinc', '-unlock', 'user'])
82 realm.kinit(realm.user_princ, password('user'))
84 # Make sure a nonexistent policy reference doesn't prevent authentication.
85 realm.run([kadminl, 'delpol', 'lockout'])
86 realm.kinit(realm.user_princ, password('user'))
88 # Regression test for issue #7099: databases created prior to krb5 1.3 have
89 # multiple history keys, and kadmin prior to 1.7 didn't necessarily use the
90 # first one to create history entries.
91 mark('#7099 regression test')
92 realm = K5Realm(start_kdc=False)
93 # Create a history principal with two keys.
94 realm.run(['./hist', 'make'])
95 realm.run([kadminl, 'addpol', '-history', '2', 'pol'])
96 realm.run([kadminl, 'modprinc', '-policy', 'pol', 'user'])
97 realm.run([kadminl, 'cpw', '-pw', 'pw2', 'user'])
98 # Swap the keys, simulating older kadmin having chosen the second entry.
99 realm.run(['./hist', 'swap'])
100 # Make sure we can read the history entry.
101 realm.run([kadminl, 'cpw', '-pw', password('user'), 'user'], expected_code=1,
102 expected_msg='Cannot reuse password')
104 # Test key/salt constraints.
105 mark('allowedkeysalts')
108 krb5_conf1 = {'libdefaults': {'supported_enctypes': 'aes256-cts'}}
109 realm = K5Realm(krb5_conf=krb5_conf1, create_host=False, get_creds=False)
112 realm.run([kadminl, 'addpol', '-allowedkeysalts', 'aes256-cts', 'ak'])
113 realm.run([kadminl, 'addprinc', '-randkey', '-e', 'aes256-cts', 'server'])
115 # Test with one-enctype allowed_keysalts.
116 realm.run([kadminl, 'modprinc', '-policy', 'ak', 'server'])
117 out = realm.run([kadminl, 'cpw', '-randkey', '-e', 'aes128-cts', 'server'],
119 if not 'Invalid key/salt tuples' in out:
120 fail('allowed_keysalts policy not applied properly')
121 realm.run([kadminl, 'cpw', '-randkey', '-e', 'aes256-cts', 'server'])
123 # Now test a multi-enctype allowed_keysalts. Test that subsets are allowed,
124 # the the complete set is allowed, that order doesn't matter, and that
125 # enctypes outside the set are not allowed.
128 realm.run([kadminl, 'modpol', '-allowedkeysalts', 'aes256-cts,rc4-hmac', 'ak'])
129 realm.run([kadminl, 'getpol', 'ak'],
130 expected_msg='Allowed key/salt types: aes256-cts,rc4-hmac')
132 # Test subsets and full set.
133 realm.run([kadminl, 'cpw', '-randkey', '-e', 'rc4-hmac', 'server'])
134 realm.run([kadminl, 'cpw', '-randkey', '-e', 'aes256-cts', 'server'])
135 realm.run([kadminl, 'cpw', '-randkey', '-e', 'aes256-cts,rc4-hmac', 'server'])
136 realm.run([kadminl, 'cpw', '-randkey', '-e', 'rc4-hmac,aes256-cts', 'server'])
138 # Check that the order we got is the one from the policy.
139 realm.run([kadminl, 'getprinc', '-terse', 'server'],
140 expected_msg='2\t1\t6\t18\t0\t1\t6\t23\t0')
142 # Test partially intersecting sets.
143 realm.run([kadminl, 'cpw', '-randkey', '-e', 'rc4-hmac,aes128-cts', 'server'],
144 expected_code=1, expected_msg='Invalid key/salt tuples')
145 realm.run([kadminl, 'cpw', '-randkey', '-e', 'rc4-hmac,aes256-cts,aes128-cts',
146 'server'], expected_code=1, expected_msg='Invalid key/salt tuples')
148 # Test reset of allowedkeysalts.
149 realm.run([kadminl, 'modpol', '-allowedkeysalts', '-', 'ak'])
150 out = realm.run([kadminl, 'getpol', 'ak'])
151 if 'Allowed key/salt types' in out:
152 fail('failed to clear allowedkeysalts')
153 realm.run([kadminl, 'cpw', '-randkey', '-e', 'aes128-cts', 'server'])
155 success('Policy tests')