krb5 commit: Add kadmin support for principals without keys
Greg Hudson
ghudson at MIT.EDU
Tue Jul 16 10:46:48 EDT 2013
https://github.com/krb5/krb5/commit/57d0b4b300e43722ae9f080fbf132edeb3834323
commit 57d0b4b300e43722ae9f080fbf132edeb3834323
Author: Greg Hudson <ghudson at mit.edu>
Date: Tue Jul 9 10:58:49 2013 -0400
Add kadmin support for principals without keys
Add kadmin support for "addprinc -nokey", which creates a principal
with no keys, and "purgekeys -all", which deletes all keys from a
principal. The KDC was modified by #7630 to support principals
without keys.
ticket: 7679 (new)
doc/admin/admin_commands/kadmin_local.rst | 10 +++-
src/kadmin/cli/kadmin.c | 49 ++++++++++++++------
src/lib/kadm5/admin.h | 1 +
src/lib/kadm5/srv/svr_principal.c | 11 +++-
src/tests/Makefile.in | 1 +
src/tests/dumpfiles/dump | 1 +
src/tests/dumpfiles/dump.b7 | 1 +
src/tests/dumpfiles/dump.ov | 1 +
src/tests/dumpfiles/dump.r13 | 1 +
src/tests/dumpfiles/dump.r18 | 1 +
src/tests/t_dump.py | 3 +
src/tests/t_keydata.py | 70 +++++++++++++++++++++++++++++
12 files changed, 130 insertions(+), 20 deletions(-)
diff --git a/doc/admin/admin_commands/kadmin_local.rst b/doc/admin/admin_commands/kadmin_local.rst
index 39351df..a291b67 100644
--- a/doc/admin/admin_commands/kadmin_local.rst
+++ b/doc/admin/admin_commands/kadmin_local.rst
@@ -287,6 +287,10 @@ Options:
**-randkey**
Sets the key of the principal to a random value.
+**-nokey**
+ Causes the principal to be created with no key. New in release
+ 1.12.
+
**-pw** *password*
Sets the password of the principal to the specified string and
does not prompt for a password. Note: using this option in a
@@ -450,11 +454,13 @@ Example:
purgekeys
~~~~~~~~~
- **purgekeys** [**-keepkvno** *oldest_kvno_to_keep*] *principal*
+ **purgekeys** [**-all**\|\ **-keepkvno** *oldest_kvno_to_keep*] *principal*
Purges previously retained old keys (e.g., from **change_password
-keepold**) from *principal*. If **-keepkvno** is specified, then
-only purges keys with kvnos lower than *oldest_kvno_to_keep*.
+only purges keys with kvnos lower than *oldest_kvno_to_keep*. If
+**-all** is specified, then all keys are purged. The **-all** option
+is new in release 1.12.
This command requires the **modify** privilege.
diff --git a/src/kadmin/cli/kadmin.c b/src/kadmin/cli/kadmin.c
index 6f6a8ba..b2b464b 100644
--- a/src/kadmin/cli/kadmin.c
+++ b/src/kadmin/cli/kadmin.c
@@ -940,8 +940,8 @@ unlock_princ(kadm5_principal_ent_t princ, long *mask, const char *caller)
static int
kadmin_parse_princ_args(int argc, char *argv[], kadm5_principal_ent_t oprinc,
long *mask, char **pass, krb5_boolean *randkey,
- krb5_key_salt_tuple **ks_tuple, int *n_ks_tuple,
- char *caller)
+ krb5_boolean *nokey, krb5_key_salt_tuple **ks_tuple,
+ int *n_ks_tuple, char *caller)
{
int i, attrib_set;
size_t j;
@@ -955,6 +955,7 @@ kadmin_parse_princ_args(int argc, char *argv[], kadm5_principal_ent_t oprinc,
*ks_tuple = NULL;
time(&now);
*randkey = FALSE;
+ *nokey = FALSE;
for (i = 1; i < argc - 1; i++) {
attrib_set = 0;
if (!strcmp("-x",argv[i])) {
@@ -1048,6 +1049,10 @@ kadmin_parse_princ_args(int argc, char *argv[], kadm5_principal_ent_t oprinc,
*randkey = TRUE;
continue;
}
+ if (!strcmp("-nokey", argv[i])) {
+ *nokey = TRUE;
+ continue;
+ }
if (!strcmp("-unlock", argv[i])) {
unlock_princ(oprinc, mask, caller);
continue;
@@ -1104,9 +1109,9 @@ kadmin_addprinc_usage()
fprintf(stderr, _("usage: add_principal [options] principal\n"));
fprintf(stderr, _("\toptions are:\n"));
fprintf(stderr,
- _("\t\t[-x db_princ_args]* [-expire expdate] "
+ _("\t\t[-randkey|-nokey] [-x db_princ_args]* [-expire expdate] "
"[-pwexpire pwexpdate] [-maxlife maxtixlife]\n"
- "\t\t[-kvno kvno] [-policy policy] [-clearpolicy] [-randkey]\n"
+ "\t\t[-kvno kvno] [-policy policy] [-clearpolicy]\n"
"\t\t[-pw password] [-maxrenewlife maxrenewlife]\n"
"\t\t[-e keysaltlist]\n\t\t[{+|-}attribute]\n")
);
@@ -1170,7 +1175,7 @@ kadmin_addprinc(int argc, char *argv[])
{
kadm5_principal_ent_rec princ;
long mask;
- krb5_boolean randkey = FALSE, old_style_randkey = FALSE;
+ krb5_boolean randkey = FALSE, nokey = FALSE, old_style_randkey = FALSE;
int n_ks_tuple;
krb5_key_salt_tuple *ks_tuple = NULL;
char *pass, *canon = NULL;
@@ -1183,7 +1188,8 @@ kadmin_addprinc(int argc, char *argv[])
princ.attributes = 0;
if (kadmin_parse_princ_args(argc, argv, &princ, &mask, &pass, &randkey,
- &ks_tuple, &n_ks_tuple, "add_principal")) {
+ &nokey, &ks_tuple, &n_ks_tuple,
+ "add_principal")) {
kadmin_addprinc_usage();
goto cleanup;
}
@@ -1214,7 +1220,10 @@ kadmin_addprinc(int argc, char *argv[])
/* Don't send KADM5_POLICY_CLR to the server. */
mask &= ~KADM5_POLICY_CLR;
- if (randkey) {
+ if (nokey) {
+ pass = NULL;
+ mask |= KADM5_KEY_DATA;
+ } else if (randkey) {
pass = NULL;
} else if (pass == NULL) {
unsigned int sz = sizeof(newpw) - 1;
@@ -1245,6 +1254,11 @@ kadmin_addprinc(int argc, char *argv[])
retval = create_princ(&princ, mask, n_ks_tuple, ks_tuple, pass);
old_style_randkey = 1;
}
+ if (retval == KADM5_BAD_MASK && nokey) {
+ fprintf(stderr, _("Admin server does not support -nokey while "
+ "creating \"%s\"\n"), canon);
+ goto cleanup;
+ }
if (retval) {
com_err("add_principal", retval, "while creating \"%s\".", canon);
goto cleanup;
@@ -1283,7 +1297,7 @@ kadmin_modprinc(int argc, char *argv[])
long mask;
krb5_error_code retval;
char *pass, *canon = NULL;
- krb5_boolean randkey = FALSE;
+ krb5_boolean randkey = FALSE, nokey = FALSE;
int n_ks_tuple = 0;
krb5_key_salt_tuple *ks_tuple = NULL;
@@ -1316,10 +1330,10 @@ kadmin_modprinc(int argc, char *argv[])
kadm5_free_principal_ent(handle, &oldprinc);
retval = kadmin_parse_princ_args(argc, argv,
&princ, &mask,
- &pass, &randkey,
+ &pass, &randkey, &nokey,
&ks_tuple, &n_ks_tuple,
"modify_principal");
- if (retval || ks_tuple != NULL || randkey || pass) {
+ if (retval || ks_tuple != NULL || randkey || nokey || pass) {
kadmin_modprinc_usage();
goto cleanup;
}
@@ -1801,13 +1815,15 @@ kadmin_purgekeys(int argc, char *argv[])
if (argc == 4 && strcmp(argv[1], "-keepkvno") == 0) {
keepkvno = atoi(argv[2]);
pname = argv[3];
- }
- if (argc == 2) {
+ } else if (argc == 3 && strcmp(argv[1], "-all") == 0) {
+ keepkvno = KRB5_INT32_MAX;
+ pname = argv[2];
+ } else if (argc == 2) {
pname = argv[1];
}
if (pname == NULL) {
- fprintf(stderr, _("usage: purgekeys [-keepkvno oldest_kvno_to_keep] "
- "principal\n"));
+ fprintf(stderr, _("usage: purgekeys "
+ "[-all|-keepkvno oldest_kvno_to_keep] principal\n"));
return;
}
@@ -1830,7 +1846,10 @@ kadmin_purgekeys(int argc, char *argv[])
goto cleanup;
}
- printf(_("Old keys for principal \"%s\" purged.\n"), canon);
+ if (keepkvno == KRB5_INT32_MAX)
+ printf(_("All keys for principal \"%s\" removed.\n"), canon);
+ else
+ printf(_("Old keys for principal \"%s\" purged.\n"), canon);
cleanup:
krb5_free_principal(context, princ);
free(canon);
diff --git a/src/lib/kadm5/admin.h b/src/lib/kadm5/admin.h
index 189ca45..8f377f8 100644
--- a/src/lib/kadm5/admin.h
+++ b/src/lib/kadm5/admin.h
@@ -110,6 +110,7 @@ typedef long kadm5_ret_t;
#define KADM5_RANDKEY_USED 0x100000
#endif
#define KADM5_LOAD 0x200000
+#define KADM5_NOKEY 0x400000
/* all but KEY_DATA, TL_DATA, LOAD */
#define KADM5_PRINCIPAL_NORMAL_MASK 0x41ffff
diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
index 2bb8711..d6035b0 100644
--- a/src/lib/kadm5/srv/svr_principal.c
+++ b/src/lib/kadm5/srv/svr_principal.c
@@ -385,8 +385,10 @@ kadm5_create_principal_3(void *server_handle,
if(!(mask & KADM5_PRINCIPAL) || (mask & KADM5_MOD_NAME) ||
(mask & KADM5_MOD_TIME) || (mask & KADM5_LAST_PWD_CHANGE) ||
(mask & KADM5_MKVNO) || (mask & KADM5_AUX_ATTRIBUTES) ||
- (mask & KADM5_KEY_DATA) || (mask & KADM5_LAST_SUCCESS) ||
- (mask & KADM5_LAST_FAILED) || (mask & KADM5_FAIL_AUTH_COUNT))
+ (mask & KADM5_LAST_SUCCESS) || (mask & KADM5_LAST_FAILED) ||
+ (mask & KADM5_FAIL_AUTH_COUNT))
+ return KADM5_BAD_MASK;
+ if ((mask & KADM5_KEY_DATA) && entry->n_key_data != 0)
return KADM5_BAD_MASK;
if((mask & KADM5_POLICY) && (mask & KADM5_POLICY_CLR))
return KADM5_BAD_MASK;
@@ -515,7 +517,10 @@ kadm5_create_principal_3(void *server_handle,
if (ret)
goto cleanup;
- if (password) {
+ if (mask & KADM5_KEY_DATA) {
+ /* The client requested no keys for this principal. */
+ assert(entry->n_key_data == 0);
+ } else if (password) {
ret = krb5_dbe_cpw(handle->context, act_mkey, new_ks_tuple,
new_n_ks_tuple, password,
(mask & KADM5_KVNO)?entry->kvno:1,
diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in
index bf09738..3c61b18 100644
--- a/src/tests/Makefile.in
+++ b/src/tests/Makefile.in
@@ -104,6 +104,7 @@ check-pytests:: gcred hist kdbtest plugorder t_init_creds t_localauth
$(RUNPYTEST) $(srcdir)/t_keytab.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/t_kadmin_acl.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/t_kdb.py $(PYTESTFLAGS)
+ $(RUNPYTEST) $(srcdir)/t_keydata.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/t_cve-2012-1014.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/t_cve-2012-1015.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/t_cve-2013-1416.py $(PYTESTFLAGS)
diff --git a/src/tests/dumpfiles/dump b/src/tests/dumpfiles/dump
index 27378d8..15ff878 100644
--- a/src/tests/dumpfiles/dump
+++ b/src/tests/dumpfiles/dump
@@ -5,6 +5,7 @@ princ 38 24 4 4 0 kadmin/admin at KRBTEST.COM 4 10800 0 0 0 0 0 0 3 24 12345c010000
princ 38 27 4 4 0 kadmin/changepw at KRBTEST.COM 8196 300 0 0 0 0 0 0 3 24 12345c010000000000000000000000000000000200000000 2 26 b93e10516b6462355f7574696c404b5242544553542e434f4d00 8 2 0100 1 4 b93e1051 1 1 18 62 200015daf7bc8073eae166b03231330b81b78cfd6021d3dcf3700862dc98725c5bb549a72aa2ae8eef37dc2db5acc59cc62600f72052c6238ef216dd24a5 1 1 17 46 1000c1e176f253d6292fe4e34b2edfbdd5ff81ff3e17b38c2a674bd738d20fc40a4ed38a02351f4a9872123fb865 1 1 16 54 18008bf3418871e7d117af489798fbbcc031c534e095b4e4ed6cb110c7d87a91e5fb6c080c77616618db80ed37589fcc0ca8328406ef 1 1 23 46 10007a522025d2e7126dc48d76218e9efb3ff4326a3b5969be0deac108657a9d23c7827ec39b828fd43e51ea114b -1;
princ 38 38 4 4 0 kadmin/equal-rites.mit.edu at KRBTEST.COM 4 10800 0 0 0 0 0 0 3 24 12345c010000000000000000000000000000000200000000 2 26 b93e10516b6462355f7574696c404b5242544553542e434f4d00 8 2 0100 1 4 b93e1051 1 1 18 62 200045a2e5b79c5787bfc68700d3abc0034cc91d48f10636c35e1a571c41c4e6892caceeda8808bfa46aa4050a6d33d99cb64d237f645af6741e90c723ff 1 1 17 46 100073b99fecd81b4fe113b10852065c15e75ed7d256d2d242b3cca57317c28c7fece4bda797f116309ea5bc2eb1 1 1 16 54 1800bd05672170b5d04cb62394498988f3844b744a0793ac435d044e67ed0ee50d20c408b30cec599c169378b0ad2a4967f42aef38e5 1 1 23 46 1000a1a515e0fe322980f319752bf85dd405ca2bdda148009654584b70f50d38c532df1c2d0a3c56f9758775b007 -1;
princ 38 30 1 4 0 krbtgt/KRBTEST.COM at KRBTEST.COM 0 86400 0 0 0 0 0 0 2 28 b93e105164625f6372656174696f6e404b5242544553542e434f4d00 1 1 18 62 2000582c9aaf26c4a0abf13600baf37718c91e15dca02385e346cf5d2730d28b2302677f23d02791299548b45e1ced0b05cd30062617bff7532885d7889c 1 1 17 46 1000122eb47263d7837771ebbf7ad82163cc2ea7674a417944c0cbf186522fc0e74a73affd4a42fb9fda287be4f8 1 1 16 54 18008cd8064aea468f13f36ae13ecd4f993d87ef6bafcb2dc5101ad903200ffe3d5c265b2f0c71a6c07ec60d259b6862825cc77a70b2 1 1 23 46 10001699ad0304644456106328fbd733bd5c524f20d4b5d8b8e370eff196803b5990ee7e9eb4b6c2214cf327f59b -1;
+princ 38 18 4 0 0 nokeys at KRBTEST.COM 0 86400 0 0 0 0 0 0 3 24 12345c010000000000000000000000000000000200000000 2 27 d931dc51757365722f61646d696e404b5242544553542e434f4d00 8 2 0100 1 4 d931dc51 -1;
princ 38 22 4 4 0 user/admin at KRBTEST.COM 0 86400 0 0 0 0 0 0 3 24 12345c010000000000000000000000000000000200000000 2 30 b93e105167687564736f6e2f61646d696e404b5242544553542e434f4d00 8 2 0100 1 4 b93e1051 1 1 18 62 20002db4cd2b0824c44a17cdbb2d180a1ec9956db35d74741826ed0d77eaef9abdb20c481d5ab9f511d5a3e6b8def443382f03d247568d81529e5dd17fae 1 1 17 46 100011d7cc3627468d565d398cffd735a3cc9d3705cd9846cede198c7d07f4e8209cd9192bc6c5f127169c00f373 1 1 16 54 18002bd9dc3388c90055844b3b4c5c2a814d73758f226d44d7dc5e35ef3b65e7d80cd604a4ef2a5769106818c3d813956bbad1813cb2 1 1 23 46 1000409681c3ff356fb7d28a9f71957c3465ea42ec4eee5019a662f7d367042527b76ae783cfbd0dccbd7529d090 -1;
princ 38 16 4 4 0 user at KRBTEST.COM 0 86400 0 0 0 0 0 0 3 32 12345c010000000874657374706f6c0000000800000000000000000200000000 2 27 d73e1051757365722f61646d696e404b5242544553542e434f4d00 8 2 0100 1 4 b93e1051 1 1 18 62 2000aec451aae295389f92d177e61b5154941386c70d75d382393e556dfa61bd77d112a777420a99030b56649d366bba83a5c40aa17fa4522222d2e78e10 1 1 17 46 10009c8ab7b3f89ccf3ca3ad98352a461b7f4f1b0c495605117591d9ad52ba4da0adef7a902126973ed2bdc3ffbf 1 1 16 54 18002b87a46d6c4de954a316b5ce28a99886f2abb6b0307190e577b81171dfb7a067139835be8625bc36b0edaaed357609107d85d335 1 1 23 46 1000c01fcdb3050a2270f82dbafbe4c1adc868377bf7133ee7a1bcaf85817abe541beb8008b91c54b99e93d2e0f5 -1;
policy testpol 0 0 1 3 1 0 0 0 0 0 0 0 - 0
diff --git a/src/tests/dumpfiles/dump.b7 b/src/tests/dumpfiles/dump.b7
index 6b810c9..8d53401 100644
--- a/src/tests/dumpfiles/dump.b7
+++ b/src/tests/dumpfiles/dump.b7
@@ -5,6 +5,7 @@ princ 38 24 3 4 0 kadmin/admin at KRBTEST.COM 4 10800 0 0 0 0 0 0 2 26 b93e10516b64
princ 38 27 3 4 0 kadmin/changepw at KRBTEST.COM 8196 300 0 0 0 0 0 0 2 26 b93e10516b6462355f7574696c404b5242544553542e434f4d00 8 2 0100 1 4 b93e1051 1 1 18 62 200015daf7bc8073eae166b03231330b81b78cfd6021d3dcf3700862dc98725c5bb549a72aa2ae8eef37dc2db5acc59cc62600f72052c6238ef216dd24a5 1 1 17 46 1000c1e176f253d6292fe4e34b2edfbdd5ff81ff3e17b38c2a674bd738d20fc40a4ed38a02351f4a9872123fb865 1 1 16 54 18008bf3418871e7d117af489798fbbcc031c534e095b4e4ed6cb110c7d87a91e5fb6c080c77616618db80ed37589fcc0ca8328406ef 1 1 23 46 10007a522025d2e7126dc48d76218e9efb3ff4326a3b5969be0deac108657a9d23c7827ec39b828fd43e51ea114b -1;
princ 38 38 3 4 0 kadmin/equal-rites.mit.edu at KRBTEST.COM 4 10800 0 0 0 0 0 0 2 26 b93e10516b6462355f7574696c404b5242544553542e434f4d00 8 2 0100 1 4 b93e1051 1 1 18 62 200045a2e5b79c5787bfc68700d3abc0034cc91d48f10636c35e1a571c41c4e6892caceeda8808bfa46aa4050a6d33d99cb64d237f645af6741e90c723ff 1 1 17 46 100073b99fecd81b4fe113b10852065c15e75ed7d256d2d242b3cca57317c28c7fece4bda797f116309ea5bc2eb1 1 1 16 54 1800bd05672170b5d04cb62394498988f3844b744a0793ac435d044e67ed0ee50d20c408b30cec599c169378b0ad2a4967f42aef38e5 1 1 23 46 1000a1a515e0fe322980f319752bf85dd405ca2bdda148009654584b70f50d38c532df1c2d0a3c56f9758775b007 -1;
princ 38 30 1 4 0 krbtgt/KRBTEST.COM at KRBTEST.COM 0 86400 0 0 0 0 0 0 2 28 b93e105164625f6372656174696f6e404b5242544553542e434f4d00 1 1 18 62 2000582c9aaf26c4a0abf13600baf37718c91e15dca02385e346cf5d2730d28b2302677f23d02791299548b45e1ced0b05cd30062617bff7532885d7889c 1 1 17 46 1000122eb47263d7837771ebbf7ad82163cc2ea7674a417944c0cbf186522fc0e74a73affd4a42fb9fda287be4f8 1 1 16 54 18008cd8064aea468f13f36ae13ecd4f993d87ef6bafcb2dc5101ad903200ffe3d5c265b2f0c71a6c07ec60d259b6862825cc77a70b2 1 1 23 46 10001699ad0304644456106328fbd733bd5c524f20d4b5d8b8e370eff196803b5990ee7e9eb4b6c2214cf327f59b -1;
+princ 38 18 3 0 0 nokeys at KRBTEST.COM 0 86400 0 0 0 0 0 0 2 27 d931dc51757365722f61646d696e404b5242544553542e434f4d00 8 2 0100 1 4 d931dc51 -1;
princ 38 22 3 4 0 user/admin at KRBTEST.COM 0 86400 0 0 0 0 0 0 2 30 b93e105167687564736f6e2f61646d696e404b5242544553542e434f4d00 8 2 0100 1 4 b93e1051 1 1 18 62 20002db4cd2b0824c44a17cdbb2d180a1ec9956db35d74741826ed0d77eaef9abdb20c481d5ab9f511d5a3e6b8def443382f03d247568d81529e5dd17fae 1 1 17 46 100011d7cc3627468d565d398cffd735a3cc9d3705cd9846cede198c7d07f4e8209cd9192bc6c5f127169c00f373 1 1 16 54 18002bd9dc3388c90055844b3b4c5c2a814d73758f226d44d7dc5e35ef3b65e7d80cd604a4ef2a5769106818c3d813956bbad1813cb2 1 1 23 46 1000409681c3ff356fb7d28a9f71957c3465ea42ec4eee5019a662f7d367042527b76ae783cfbd0dccbd7529d090 -1;
princ 38 16 3 4 0 user at KRBTEST.COM 0 86400 0 0 0 0 0 0 2 27 d73e1051757365722f61646d696e404b5242544553542e434f4d00 8 2 0100 1 4 b93e1051 1 1 18 62 2000aec451aae295389f92d177e61b5154941386c70d75d382393e556dfa61bd77d112a777420a99030b56649d366bba83a5c40aa17fa4522222d2e78e10 1 1 17 46 10009c8ab7b3f89ccf3ca3ad98352a461b7f4f1b0c495605117591d9ad52ba4da0adef7a902126973ed2bdc3ffbf 1 1 16 54 18002b87a46d6c4de954a316b5ce28a99886f2abb6b0307190e577b81171dfb7a067139835be8625bc36b0edaaed357609107d85d335 1 1 23 46 1000c01fcdb3050a2270f82dbafbe4c1adc868377bf7133ee7a1bcaf85817abe541beb8008b91c54b99e93d2e0f5 -1;
policy testpol 0 0 1 3 1 0
diff --git a/src/tests/dumpfiles/dump.ov b/src/tests/dumpfiles/dump.ov
index 35d99ba..285bef9 100644
--- a/src/tests/dumpfiles/dump.ov
+++ b/src/tests/dumpfiles/dump.ov
@@ -3,6 +3,7 @@ princ host/equal-rites.mit.edu at KRBTEST.COM 0 0 0 2
princ kadmin/admin at KRBTEST.COM 0 0 0 2
princ kadmin/changepw at KRBTEST.COM 0 0 0 2
princ kadmin/equal-rites.mit.edu at KRBTEST.COM 0 0 0 2
+princ nokeys at KRBTEST.COM 0 0 0 2
princ user/admin at KRBTEST.COM 0 0 0 2
princ user at KRBTEST.COM testpol 800 0 0 2
policy testpol 0 0 1 3 1 0
diff --git a/src/tests/dumpfiles/dump.r13 b/src/tests/dumpfiles/dump.r13
index 8faba2b..c15a75e 100644
--- a/src/tests/dumpfiles/dump.r13
+++ b/src/tests/dumpfiles/dump.r13
@@ -5,6 +5,7 @@ princ 38 24 4 4 0 kadmin/admin at KRBTEST.COM 4 10800 0 0 0 0 0 0 3 24 12345c010000
princ 38 27 4 4 0 kadmin/changepw at KRBTEST.COM 8196 300 0 0 0 0 0 0 3 24 12345c010000000000000000000000000000000200000000 2 26 b93e10516b6462355f7574696c404b5242544553542e434f4d00 8 2 0100 1 4 b93e1051 1 1 18 62 200015daf7bc8073eae166b03231330b81b78cfd6021d3dcf3700862dc98725c5bb549a72aa2ae8eef37dc2db5acc59cc62600f72052c6238ef216dd24a5 1 1 17 46 1000c1e176f253d6292fe4e34b2edfbdd5ff81ff3e17b38c2a674bd738d20fc40a4ed38a02351f4a9872123fb865 1 1 16 54 18008bf3418871e7d117af489798fbbcc031c534e095b4e4ed6cb110c7d87a91e5fb6c080c77616618db80ed37589fcc0ca8328406ef 1 1 23 46 10007a522025d2e7126dc48d76218e9efb3ff4326a3b5969be0deac108657a9d23c7827ec39b828fd43e51ea114b -1;
princ 38 38 4 4 0 kadmin/equal-rites.mit.edu at KRBTEST.COM 4 10800 0 0 0 0 0 0 3 24 12345c010000000000000000000000000000000200000000 2 26 b93e10516b6462355f7574696c404b5242544553542e434f4d00 8 2 0100 1 4 b93e1051 1 1 18 62 200045a2e5b79c5787bfc68700d3abc0034cc91d48f10636c35e1a571c41c4e6892caceeda8808bfa46aa4050a6d33d99cb64d237f645af6741e90c723ff 1 1 17 46 100073b99fecd81b4fe113b10852065c15e75ed7d256d2d242b3cca57317c28c7fece4bda797f116309ea5bc2eb1 1 1 16 54 1800bd05672170b5d04cb62394498988f3844b744a0793ac435d044e67ed0ee50d20c408b30cec599c169378b0ad2a4967f42aef38e5 1 1 23 46 1000a1a515e0fe322980f319752bf85dd405ca2bdda148009654584b70f50d38c532df1c2d0a3c56f9758775b007 -1;
princ 38 30 1 4 0 krbtgt/KRBTEST.COM at KRBTEST.COM 0 86400 0 0 0 0 0 0 2 28 b93e105164625f6372656174696f6e404b5242544553542e434f4d00 1 1 18 62 2000582c9aaf26c4a0abf13600baf37718c91e15dca02385e346cf5d2730d28b2302677f23d02791299548b45e1ced0b05cd30062617bff7532885d7889c 1 1 17 46 1000122eb47263d7837771ebbf7ad82163cc2ea7674a417944c0cbf186522fc0e74a73affd4a42fb9fda287be4f8 1 1 16 54 18008cd8064aea468f13f36ae13ecd4f993d87ef6bafcb2dc5101ad903200ffe3d5c265b2f0c71a6c07ec60d259b6862825cc77a70b2 1 1 23 46 10001699ad0304644456106328fbd733bd5c524f20d4b5d8b8e370eff196803b5990ee7e9eb4b6c2214cf327f59b -1;
+princ 38 18 4 0 0 nokeys at KRBTEST.COM 0 86400 0 0 0 0 0 0 3 24 12345c010000000000000000000000000000000200000000 2 27 d931dc51757365722f61646d696e404b5242544553542e434f4d00 8 2 0100 1 4 d931dc51 -1;
princ 38 22 4 4 0 user/admin at KRBTEST.COM 0 86400 0 0 0 0 0 0 3 24 12345c010000000000000000000000000000000200000000 2 30 b93e105167687564736f6e2f61646d696e404b5242544553542e434f4d00 8 2 0100 1 4 b93e1051 1 1 18 62 20002db4cd2b0824c44a17cdbb2d180a1ec9956db35d74741826ed0d77eaef9abdb20c481d5ab9f511d5a3e6b8def443382f03d247568d81529e5dd17fae 1 1 17 46 100011d7cc3627468d565d398cffd735a3cc9d3705cd9846cede198c7d07f4e8209cd9192bc6c5f127169c00f373 1 1 16 54 18002bd9dc3388c90055844b3b4c5c2a814d73758f226d44d7dc5e35ef3b65e7d80cd604a4ef2a5769106818c3d813956bbad1813cb2 1 1 23 46 1000409681c3ff356fb7d28a9f71957c3465ea42ec4eee5019a662f7d367042527b76ae783cfbd0dccbd7529d090 -1;
princ 38 16 4 4 0 user at KRBTEST.COM 0 86400 0 0 0 0 0 0 3 32 12345c010000000874657374706f6c0000000800000000000000000200000000 2 27 d73e1051757365722f61646d696e404b5242544553542e434f4d00 8 2 0100 1 4 b93e1051 1 1 18 62 2000aec451aae295389f92d177e61b5154941386c70d75d382393e556dfa61bd77d112a777420a99030b56649d366bba83a5c40aa17fa4522222d2e78e10 1 1 17 46 10009c8ab7b3f89ccf3ca3ad98352a461b7f4f1b0c495605117591d9ad52ba4da0adef7a902126973ed2bdc3ffbf 1 1 16 54 18002b87a46d6c4de954a316b5ce28a99886f2abb6b0307190e577b81171dfb7a067139835be8625bc36b0edaaed357609107d85d335 1 1 23 46 1000c01fcdb3050a2270f82dbafbe4c1adc868377bf7133ee7a1bcaf85817abe541beb8008b91c54b99e93d2e0f5 -1;
policy testpol 0 0 1 3 1 0
diff --git a/src/tests/dumpfiles/dump.r18 b/src/tests/dumpfiles/dump.r18
index 41ca05e..b352fa2 100644
--- a/src/tests/dumpfiles/dump.r18
+++ b/src/tests/dumpfiles/dump.r18
@@ -5,6 +5,7 @@ princ 38 24 4 4 0 kadmin/admin at KRBTEST.COM 4 10800 0 0 0 0 0 0 3 24 12345c010000
princ 38 27 4 4 0 kadmin/changepw at KRBTEST.COM 8196 300 0 0 0 0 0 0 3 24 12345c010000000000000000000000000000000200000000 2 26 b93e10516b6462355f7574696c404b5242544553542e434f4d00 8 2 0100 1 4 b93e1051 1 1 18 62 200015daf7bc8073eae166b03231330b81b78cfd6021d3dcf3700862dc98725c5bb549a72aa2ae8eef37dc2db5acc59cc62600f72052c6238ef216dd24a5 1 1 17 46 1000c1e176f253d6292fe4e34b2edfbdd5ff81ff3e17b38c2a674bd738d20fc40a4ed38a02351f4a9872123fb865 1 1 16 54 18008bf3418871e7d117af489798fbbcc031c534e095b4e4ed6cb110c7d87a91e5fb6c080c77616618db80ed37589fcc0ca8328406ef 1 1 23 46 10007a522025d2e7126dc48d76218e9efb3ff4326a3b5969be0deac108657a9d23c7827ec39b828fd43e51ea114b -1;
princ 38 38 4 4 0 kadmin/equal-rites.mit.edu at KRBTEST.COM 4 10800 0 0 0 0 0 0 3 24 12345c010000000000000000000000000000000200000000 2 26 b93e10516b6462355f7574696c404b5242544553542e434f4d00 8 2 0100 1 4 b93e1051 1 1 18 62 200045a2e5b79c5787bfc68700d3abc0034cc91d48f10636c35e1a571c41c4e6892caceeda8808bfa46aa4050a6d33d99cb64d237f645af6741e90c723ff 1 1 17 46 100073b99fecd81b4fe113b10852065c15e75ed7d256d2d242b3cca57317c28c7fece4bda797f116309ea5bc2eb1 1 1 16 54 1800bd05672170b5d04cb62394498988f3844b744a0793ac435d044e67ed0ee50d20c408b30cec599c169378b0ad2a4967f42aef38e5 1 1 23 46 1000a1a515e0fe322980f319752bf85dd405ca2bdda148009654584b70f50d38c532df1c2d0a3c56f9758775b007 -1;
princ 38 30 1 4 0 krbtgt/KRBTEST.COM at KRBTEST.COM 0 86400 0 0 0 0 0 0 2 28 b93e105164625f6372656174696f6e404b5242544553542e434f4d00 1 1 18 62 2000582c9aaf26c4a0abf13600baf37718c91e15dca02385e346cf5d2730d28b2302677f23d02791299548b45e1ced0b05cd30062617bff7532885d7889c 1 1 17 46 1000122eb47263d7837771ebbf7ad82163cc2ea7674a417944c0cbf186522fc0e74a73affd4a42fb9fda287be4f8 1 1 16 54 18008cd8064aea468f13f36ae13ecd4f993d87ef6bafcb2dc5101ad903200ffe3d5c265b2f0c71a6c07ec60d259b6862825cc77a70b2 1 1 23 46 10001699ad0304644456106328fbd733bd5c524f20d4b5d8b8e370eff196803b5990ee7e9eb4b6c2214cf327f59b -1;
+princ 38 18 4 0 0 nokeys at KRBTEST.COM 0 86400 0 0 0 0 0 0 3 24 12345c010000000000000000000000000000000200000000 2 27 d931dc51757365722f61646d696e404b5242544553542e434f4d00 8 2 0100 1 4 d931dc51 -1;
princ 38 22 4 4 0 user/admin at KRBTEST.COM 0 86400 0 0 0 0 0 0 3 24 12345c010000000000000000000000000000000200000000 2 30 b93e105167687564736f6e2f61646d696e404b5242544553542e434f4d00 8 2 0100 1 4 b93e1051 1 1 18 62 20002db4cd2b0824c44a17cdbb2d180a1ec9956db35d74741826ed0d77eaef9abdb20c481d5ab9f511d5a3e6b8def443382f03d247568d81529e5dd17fae 1 1 17 46 100011d7cc3627468d565d398cffd735a3cc9d3705cd9846cede198c7d07f4e8209cd9192bc6c5f127169c00f373 1 1 16 54 18002bd9dc3388c90055844b3b4c5c2a814d73758f226d44d7dc5e35ef3b65e7d80cd604a4ef2a5769106818c3d813956bbad1813cb2 1 1 23 46 1000409681c3ff356fb7d28a9f71957c3465ea42ec4eee5019a662f7d367042527b76ae783cfbd0dccbd7529d090 -1;
princ 38 16 4 4 0 user at KRBTEST.COM 0 86400 0 0 0 0 0 0 3 32 12345c010000000874657374706f6c0000000800000000000000000200000000 2 27 d73e1051757365722f61646d696e404b5242544553542e434f4d00 8 2 0100 1 4 b93e1051 1 1 18 62 2000aec451aae295389f92d177e61b5154941386c70d75d382393e556dfa61bd77d112a777420a99030b56649d366bba83a5c40aa17fa4522222d2e78e10 1 1 17 46 10009c8ab7b3f89ccf3ca3ad98352a461b7f4f1b0c495605117591d9ad52ba4da0adef7a902126973ed2bdc3ffbf 1 1 16 54 18002b87a46d6c4de954a316b5ce28a99886f2abb6b0307190e577b81171dfb7a067139835be8625bc36b0edaaed357609107d85d335 1 1 23 46 1000c01fcdb3050a2270f82dbafbe4c1adc868377bf7133ee7a1bcaf85817abe541beb8008b91c54b99e93d2e0f5 -1;
policy testpol 0 0 1 3 1 0 0 0 0
diff --git a/src/tests/t_dump.py b/src/tests/t_dump.py
index 239bbcc..edf7a23 100644
--- a/src/tests/t_dump.py
+++ b/src/tests/t_dump.py
@@ -78,6 +78,9 @@ def load_dump_check_compare(realm, opt, srcfile):
out = realm.run_kadminl('getprincs')
if 'user@' not in out:
fail('Loaded dumpfile missing user principal')
+ out = realm.run_kadminl('getprinc nokeys')
+ if 'Number of keys: 0' not in out:
+ fail('Loading dumpfile did not process zero-key principal')
out = realm.run_kadminl('getpols')
if 'testpol' not in out:
fail('Loaded dumpfile missing test policy')
diff --git a/src/tests/t_keydata.py b/src/tests/t_keydata.py
new file mode 100644
index 0000000..ad8c909
--- /dev/null
+++ b/src/tests/t_keydata.py
@@ -0,0 +1,70 @@
+#!/usr/bin/python
+from k5test import *
+
+realm = K5Realm(create_user=False, create_host=False)
+
+# Create a principal with no keys.
+out = realm.run_kadminl('addprinc -nokey user')
+if 'created.' not in out:
+ fail('addprinc -nokey')
+out = realm.run_kadminl('getprinc user')
+if 'Number of keys: 0' not in out:
+ fail('getprinc (addprinc -nokey)')
+
+# Change its password and check the resulting kvno.
+out = realm.run_kadminl('cpw -pw password user')
+if 'changed.' not in out:
+ fail('cpw -pw')
+out = realm.run_kadminl('getprinc user')
+if 'vno 1' not in out:
+ fail('getprinc (cpw -pw)')
+
+# Delete all of its keys.
+out = realm.run_kadminl('purgekeys -all user')
+if 'All keys' not in out or 'removed.' not in out:
+ fail('purgekeys')
+out = realm.run_kadminl('getprinc user')
+if 'Number of keys: 0' not in out:
+ fail('getprinc (purgekeys)')
+
+# Randomize its keys and check the resulting kvno.
+out = realm.run_kadminl('cpw -randkey user')
+if 'randomized.' not in out:
+ fail('cpw -randkey')
+out = realm.run_kadminl('getprinc user')
+if 'vno 1' not in out:
+ fail('getprinc (cpw -randkey)')
+
+# Return true if patype appears to have been received in a hint list
+# from a KDC error message, based on the trace file fname.
+def preauth_type_received(fname, patype):
+ f = open(fname, 'r')
+ found = False
+ for line in f:
+ if 'Processing preauth types:' in line:
+ ind = line.find('types:')
+ patypes = line[ind + 6:].strip().split(', ')
+ if str(patype) in patypes:
+ found = True
+ f.close()
+ return found
+
+# Make sure the KDC doesn't offer encrypted timestamp for a principal
+# with no keys.
+tracefile = os.path.join(realm.testdir, 'trace')
+realm.run_kadminl('purgekeys -all user')
+realm.run_kadminl('modprinc +requires_preauth user')
+realm.run(['env', 'KRB5_TRACE=' + tracefile, kinit, 'user'], expected_code=1)
+if preauth_type_received(tracefile, 2):
+ fail('encrypted timestamp')
+
+# Make sure it doesn't offer encrypted challenge either.
+realm.run_kadminl('addprinc -pw fast armor')
+realm.kinit('armor', 'fast')
+os.remove(tracefile)
+realm.run(['env', 'KRB5_TRACE=' + tracefile, kinit, '-T', realm.ccache,
+ 'user'], expected_code=1)
+if preauth_type_received(tracefile, 138):
+ fail('encrypted challenge')
+
+success('Key data tests')
More information about the cvs-krb5
mailing list