5 realm = K5Realm(create_host=False, start_kadmind=True)
7 # Test password quality enforcement.
8 realm.run([kadminl, 'addpol', '-minlength', '6', '-minclasses', '2', 'pwpol'])
9 realm.run([kadminl, 'addprinc', '-randkey', '-policy', 'pwpol', 'pwuser'])
10 out = realm.run([kadminl, 'cpw', '-pw', 'sh0rt', 'pwuser'], expected_code=1)
11 if 'Password is too short' not in out:
12 fail('short password')
13 out = realm.run([kadminl, 'cpw', '-pw', 'longenough', 'pwuser'],
15 if 'Password does not contain enough character classes' not in out:
16 fail('insufficient character classes')
17 realm.run([kadminl, 'cpw', '-pw', 'l0ngenough', 'pwuser'])
19 # Test some password history enforcement. Even with no history value,
20 # the current password should be denied.
21 out = realm.run([kadminl, 'cpw', '-pw', 'l0ngenough', 'pwuser'],
23 if 'Cannot reuse password' not in out:
24 fail('reuse of current password')
25 realm.run([kadminl, 'modpol', '-history', '2', 'pwpol'])
26 realm.run([kadminl, 'cpw', '-pw', 'an0therpw', 'pwuser'])
27 out = realm.run([kadminl, 'cpw', '-pw', 'l0ngenough', 'pwuser'],
29 if 'Cannot reuse password' not in out:
30 fail('reuse of old password')
31 realm.run([kadminl, 'cpw', '-pw', '3rdpassword', 'pwuser'])
32 realm.run([kadminl, 'cpw', '-pw', 'l0ngenough', 'pwuser'])
34 # Test references to nonexistent policies.
35 realm.run([kadminl, 'addprinc', '-randkey', '-policy', 'newpol', 'newuser'])
36 out = realm.run([kadminl, 'getprinc', 'newuser'])
37 if 'Policy: newpol [does not exist]\n' not in out:
38 fail('getprinc output for principal referencing nonexistent policy')
39 realm.run([kadminl, 'modprinc', '-policy', 'newpol', 'pwuser'])
40 # pwuser should allow reuse of the current password since newpol doesn't exist.
41 realm.run([kadminl, 'cpw', '-pw', '3rdpassword', 'pwuser'])
42 # Regression test for #8427 (min_life check with nonexistent policy).
43 realm.run([kadmin, '-p', 'pwuser', '-w', '3rdpassword', 'cpw', '-pw',
44 '3rdpassword', 'pwuser'])
46 # Create newpol and verify that it is enforced.
47 realm.run([kadminl, 'addpol', '-minlength', '3', 'newpol'])
48 out = realm.run([kadminl, 'getprinc', 'pwuser'])
49 if 'Policy: newpol\n' not in out:
50 fail('getprinc after creating policy (pwuser)')
51 out = realm.run([kadminl, 'cpw', '-pw', 'aa', 'pwuser'], expected_code=1)
52 if 'Password is too short' not in out:
53 fail('short password after creating policy (pwuser)')
54 out = realm.run([kadminl, 'cpw', '-pw', '3rdpassword', 'pwuser'],
56 if 'Cannot reuse password' not in out:
57 fail('reuse of current password after creating policy')
59 out = realm.run([kadminl, 'getprinc', 'newuser'])
60 if 'Policy: newpol\n' not in out:
61 fail('getprinc after creating policy (newuser)')
62 out = realm.run([kadminl, 'cpw', '-pw', 'aa', 'newuser'], expected_code=1)
63 if 'Password is too short' not in out:
64 fail('short password after creating policy (newuser)')
66 # Delete the policy and verify that it is no longer enforced.
67 realm.run([kadminl, 'delpol', 'newpol'])
68 out = realm.run([kadminl, 'getpol', 'newpol'], expected_code=1)
69 if 'Policy does not exist' not in out:
70 fail('deletion of referenced policy')
71 realm.run([kadminl, 'cpw', '-pw', 'aa', 'pwuser'])
73 # Test basic password lockout support.
75 realm.run([kadminl, 'addpol', '-maxfailure', '2', '-failurecountinterval',
77 realm.run([kadminl, 'modprinc', '+requires_preauth', '-policy', 'lockout',
80 # kinit twice with the wrong password.
81 output = realm.run([kinit, realm.user_princ], input='wrong\n', expected_code=1)
82 if 'Password incorrect while getting initial credentials' not in output:
83 fail('Expected error message not seen in kinit output')
84 output = realm.run([kinit, realm.user_princ], input='wrong\n', expected_code=1)
85 if 'Password incorrect while getting initial credentials' not in output:
86 fail('Expected error message not seen in kinit output')
88 # Now the account should be locked out.
89 output = realm.run([kinit, realm.user_princ], expected_code=1)
90 if 'Client\'s credentials have been revoked while getting initial credentials' \
92 fail('Expected lockout error message not seen in kinit output')
94 # Check that modprinc -unlock allows a further attempt.
95 realm.run([kadminl, 'modprinc', '-unlock', 'user'])
96 realm.kinit(realm.user_princ, password('user'))
98 # Make sure a nonexistent policy reference doesn't prevent authentication.
99 realm.run([kadminl, 'delpol', 'lockout'])
100 realm.kinit(realm.user_princ, password('user'))
102 # Regression test for issue #7099: databases created prior to krb5 1.3 have
103 # multiple history keys, and kadmin prior to 1.7 didn't necessarily use the
104 # first one to create history entries.
107 realm = K5Realm(start_kdc=False)
108 # Create a history principal with two keys.
109 realm.run(['./hist', 'make'])
110 realm.run([kadminl, 'addpol', '-history', '2', 'pol'])
111 realm.run([kadminl, 'modprinc', '-policy', 'pol', 'user'])
112 realm.run([kadminl, 'cpw', '-pw', 'pw2', 'user'])
113 # Swap the keys, simulating older kadmin having chosen the second entry.
114 realm.run(['./hist', 'swap'])
115 # Make sure we can read the history entry.
116 out = realm.run([kadminl, 'cpw', '-pw', password('user'), 'user'],
118 if 'Cannot reuse password' not in out:
119 fail('Expected error not seen in output')
121 # Test key/salt constraints.
124 krb5_conf1 = {'libdefaults': {'supported_enctypes': 'aes256-cts'}}
125 realm = K5Realm(krb5_conf=krb5_conf1, create_host=False, get_creds=False)
128 realm.run([kadminl, 'addpol', '-allowedkeysalts', 'aes256-cts', 'ak'])
129 realm.run([kadminl, 'addprinc', '-randkey', '-e', 'aes256-cts', 'server'])
131 # Test with one-enctype allowed_keysalts.
132 realm.run([kadminl, 'modprinc', '-policy', 'ak', 'server'])
133 out = realm.run([kadminl, 'cpw', '-randkey', '-e', 'aes128-cts', 'server'],
135 if not 'Invalid key/salt tuples' in out:
136 fail('allowed_keysalts policy not applied properly')
137 realm.run([kadminl, 'cpw', '-randkey', '-e', 'aes256-cts', 'server'])
139 # Now test a multi-enctype allowed_keysalts. Test that subsets are allowed,
140 # the the complete set is allowed, that order doesn't matter, and that
141 # enctypes outside the set are not allowed.
144 realm.run([kadminl, 'modpol', '-allowedkeysalts', 'aes256-cts,rc4-hmac', 'ak'])
145 out = realm.run([kadminl, 'getpol', 'ak'])
146 if not 'Allowed key/salt types: aes256-cts,rc4-hmac' in out:
147 fail('getpol does not implement allowedkeysalts?')
149 # Test subsets and full set.
150 realm.run([kadminl, 'cpw', '-randkey', '-e', 'rc4-hmac', 'server'])
151 realm.run([kadminl, 'cpw', '-randkey', '-e', 'aes256-cts', 'server'])
152 realm.run([kadminl, 'cpw', '-randkey', '-e', 'aes256-cts,rc4-hmac', 'server'])
153 realm.run([kadminl, 'cpw', '-randkey', '-e', 'rc4-hmac,aes256-cts', 'server'])
155 # Check that the order we got is the one from the policy.
156 out = realm.run([kadminl, 'getprinc', '-terse', 'server'])
157 if not '2\t1\t6\t18\t0\t1\t6\t23\t0' in out:
158 fail('allowed_keysalts policy did not preserve order')
160 # Test partially intersecting sets.
161 out = realm.run([kadminl, 'cpw', '-randkey', '-e', 'rc4-hmac,aes128-cts',
162 'server'], expected_code=1)
163 if not 'Invalid key/salt tuples' in out:
164 fail('allowed_keysalts policy not applied properly')
165 out = realm.run([kadminl, 'cpw', '-randkey', '-e',
166 'rc4-hmac,aes256-cts,aes128-cts', 'server'], expected_code=1)
167 if not 'Invalid key/salt tuples' in out:
168 fail('allowed_keysalts policy not applied properly')
170 # Test reset of allowedkeysalts.
171 realm.run([kadminl, 'modpol', '-allowedkeysalts', '-', 'ak'])
172 out = realm.run([kadminl, 'getpol', 'ak'])
173 if 'Allowed key/salt types' in out:
174 fail('failed to clear allowedkeysalts')
175 realm.run([kadminl, 'cpw', '-randkey', '-e', 'aes128-cts', 'server'])
177 success('Policy tests')