From 56d2bf11414d407d7bc78669dea54920f7765b28 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 17 Aug 2022 11:13:41 +1000 Subject: [PATCH] tsiggss: regenerate kerberos credentials The existing set of kerberos credential used deprecated algorithms which are not supported by some implementations in FIPS mode. Regenerate the saved credentials using more modern algorithms. Added tsiggss/krb/setup.sh which sets up a test KDC with the required principals for the system test to work. The tsiggss system test needs to be run once with this active and KRB5_CONFIG appropriately. set. See tsiggss/tests.sh for an example of how to do this. --- bin/tests/system/tsiggss/krb/setup.sh | 104 ++++++++++++++++++ .../system/tsiggss/ns1/administrator.ccache | Bin 2315 -> 1494 bytes bin/tests/system/tsiggss/ns1/dns.keytab | Bin 1087 -> 460 bytes .../system/tsiggss/ns1/testdenied.ccache | Bin 2188 -> 1458 bytes bin/tests/system/tsiggss/tests.sh | 3 + 5 files changed, 107 insertions(+) create mode 100644 bin/tests/system/tsiggss/krb/setup.sh diff --git a/bin/tests/system/tsiggss/krb/setup.sh b/bin/tests/system/tsiggss/krb/setup.sh new file mode 100644 index 0000000000..56e2462cea --- /dev/null +++ b/bin/tests/system/tsiggss/krb/setup.sh @@ -0,0 +1,104 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +set -x + +PWD=$(pwd) + +KRB5_CONFIG="${PWD}/krb5.conf" +export KRB5_CONFIG + +KRB5_KDC_PROFILE=${PWD}/krb5kdc +export KRB5_KDC_PROFILE + +now=$(date +%s) +lifetime=$(2147483647 - now) +lifetime=$(lifetime / 3600 / 24 - 30) + +cat << EOF > "${KRB5_CONFIG}" +[libdefaults] + default_realm = EXAMPLE.NIL + dns_lookup_kdc = false + # Depending on what you are testing, you may want something like: + # default_keytab_name = FILE:/usr/local/var/keytab +[realms] + EXAMPLE.NIL = { + admin_server = 127.0.0.1:50001 + kdc = 127.0.0.1:50000 + database_module = DB2 + kdc_ports = 50000 + kadmind_port = 50001 + } +[dbmodules] + DB2 = { + db_library = db2 + } +[logging] + # Use any pathnames you want here. + kdc = FILE:${PWD}/kdc.log + admin_server = FILE:${PWD}/kadmin.log +# Depending on what you are testing, you may want: +# [domain_realm] +# your.domain = EXAMPLE.COM +EOF + +rm -rf ${KRB5_KDC_PROFILE} +mkdir -p ${KRB5_KDC_PROFILE} +chmod 700 ${KRB5_KDC_PROFILE} + +cat << EOF > "${KRB5_KDC_PROFILE}"/kdc.conf +[kdcdefaults] + kdc_ports = 50000 + kdc_tcp_ports = 50000 + +[realms] + EXAMPLE.NIL = { + key_stash_file = ${KRB5_KDC_PROFILE}/.k5.EXAMPLE.NIL + database_module = EXAMPLE.NIL + max_life = ${lifetime}d +} + +[dbmodules] + EXAMPLE.NIL = { + db_library = db2 + database_name = ${KRB5_KDC_PROFILE}/principal + } +EOF + +kdb5_util create -s <CL`?*;G`J&lHNv841 z$%)AssqxAAd1>(}i6x0Z39hun;*$8pvc$|BAWsgctR%fe-!;O~H^9eL&(G7x0f`M% zK^U+yFjuA)16`v(G2Ga*bZx^w*W$gCm+aaWtf;D=Y4Szl*F^T2RCdPFWFI&_zmH=4=3z(T0g%$z{#zjqxNi0o_ae_*B z*OpFxB>TaSTlH^D{VK-h>{CsiC%e>zw=7(gQ9p0`huX-y6{TUjj2g4nt3S`%9v~Qf zZd0WD42=zqAx7(u*r!KDO|>uNyTfL;q|;YQUq?@3Po%_Vn~yz8vS-!A&h`tQ*mdHz zNd2)o+rlN$okbfj8Ljzixc61kS_L`3xteyS)^=GLzXPlp4X(_;?P&beJWWP&yCLU| z=X;Lqs$971^xq-FD2vAj@I@>P?C153jvedSfY3KkeZ*&%1XegEPav-`#tvBvbCF zB}@Nwiwg_S-((PBd=r?#u>QsC!2ad`v_sd37>n(FsD zgNRj5lvsTQjMZnrxO_C(oYk_PaXFB=7#^)mz-XNcjMj-7+OKXTRBYe3GM&FW@#iPc zj|S7*jFq-K>=d0)$s)Yt&z@B${v{ksPukET-F)fjhM7w36_=Q~-YpK*+r{_Bqo+pZ z_>5T>t~Tum|MqOky6T_2pj0|^Q-2dD6=h8==3*=NhRJPBNs$CX2clQy)`=Dq901Q{$ ATL1t6 delta 2021 zcmVP(daZ zV85}{?Vyp&NQd0=R8sqf;QCE>FmU~dE9&kjzWI-j$rpZ`ugp$afKNBLKwOA(82}m> z@|LG3ISG}4j6>;;O2v2z^&mpk5~#|5BHvc4v^Ceva`uU8Zq<{qjQpQBKpC{w!O8Co zUq({8m2}t-ZKWOgFSs?D$$kp{aYk*?*eEZDT`&KUs~_1F;Y<&Ww95`Q7fXBHpG)z1 zUh^QA7hbb*R9sg5rTn+K%@nq=GPdX=t0ek=>yi#! zrTIupxI~IC&oLV1P$}`S1Rv&=dCaXyN<4N}h>S^sa*5v781M{a{-l{Xn)$$~Ocr$} z2XZLzR=fh);bbD;m2FGkpQ^lhfyhybu^o*6Je+ARcg)GQbWu+vq?(pu>{+r?7c#gj zSQ6CdcmAwVFog`B1u}(|OFV3UZfmd;Cl>4>K-_vHj}csVavf-5??&>6igG^d_^r-a z_}}3z%Xj;iB)AAm6JElHN@hnC3$vPnmnRQUbns>%jgu8d4ma2HAyaYKk?l)=`Kx~7 zsEApnJ>(XM=DRzE^3EUrL*_cSOIoOUE}ZwCgf{b2e|+{Yrd)3|3^}uZ4;gO2Pg%wV zO~v(yLC_6*xZW|Lv0e<7p_B0LwVhRZPfNpzaK)$1b&%c$do+ykPB2;f(QUtPBbI6B zjT;fbY}SAw;z1sSjCp&u{KOh*iYGl)?-=30pi7@|KsCVg*ow=xymrl;;7yMv=8?-` zM8~(&V2<@EHHSK*kSX(j)lgpxElXrWoOdowVhBt%R|dkf1drSuDO+Mw0xJ5s1XCk& z303Z4P6ML)XQ2qHC10yON8NfFV9=>Sk()@1#aCP0SEIF?WRpd3&RNZ_=5#cVR|Xe& z5iq8%yF*;sOh2ifHjO!I$IPMr^ySFbA%Knl<}O z;hFN38>A%O3~TVq|5OTc&jF9v4Yd{#cja>EJQwR{`7k%!jL2APy#U5zHYuaZ)7Xno z(7AZomQ_rL%j3)SAVdjkJTbcqrm(#|nvSYp0id#%-tP4j z-9JN3PAKc%JTxe`L=4#h^|8R@_gKWXXyw-$mS)4T!}6jMSm?#H z`gwyi1J?z~@N&@8(PcqbImentNmcmR<(|q7%FQ95a2s-#kN#cRVt2;+KagZ` zIFkA`h+jd}rypG4Ad?}VCR#cSqX7@~I@2^D;9n+_*VBJY^fr(#0xos=GR7e2z**E^ z;f86gQj|SacM4^2PwXJ^W4?Cr*0=aam479bvQPf7_l*L_RpOn%AEj!JFf=TTG}o?& zn5WnAwhMDl5En~%H^9cH4gc0#clLM}m<3(~8V~aU5Mm-G-`jyDU`G5AplOe1#YcWm zJH%l!V93M!-&tfP+1@?;tFcKOfj9-QDc!LQmE}_8yh)kft&p@_YxgcIO9epeoqyf( z(OfJYsm|Eg@=_|1{b{m)=n9CXL^Dr4-%!QDL$GxyeOGF58kGpsvnLuANv+9{)ke{k zFwdHk)+|5L5~`%cGTbkXHG)PY@6j%J`_Lt{Y&ZU3Vcp>jBA3vgt&G^|H@*-uNz~_W zNKuQr-3it|4NJZWdQ8fox&eYuEq^;4mbfADlDDHwYC{e;Ps7ur!@;1iyz~pm@=6QM zLV8M!em0WmHRJ2I1t{!|S>y;N^)K6p@vdqMB&a~_!tj+qO#z~dOMwh_pRPf+ePGKZ&v?D(;ENo!OT)C zNV&EkN#%}B;vXTXDPdSm;ZMpb)x+h!Sjm(%N0KtMg#IdAagny#v{(CG*3>RnR}%$^ z=n1NfdQg+yNHiJf#>HEN)mOiq9=t=C@8{&ie`ZjVJQ)~K!;d{BuUHr8M4&t(*it-a z3ssr9E&s6I>~HYOyUGuIF0&|f8@_sXj5jZ%_QN!&VU~mq1G;39!KSA+ENvPE++H3( KuWqpfX$Alz=7X02 literal 1087 zcmZQ&VqjpfV_;(7c8zfK4e)W*^Yip!V0Q5fX5db(NX#wBN!82C%mFH5^!ajOGa~~d z1IH5X729S{n%E2y1Y!_y!fFD4QckHJ38t6=%|meqdrDrhF3=F54S205#RJS#@c?#H zi0}Y*jc!=O4|@!VGYC9c_4^C=0{Lk%aTROw&aKP@g%2nifWQl@Nw{MIziGCFV+6ke zq}on7bTg- zCnqN+XQaj_=jWxxrzDmn0wuW85{paX6U!1abAUWKpt6$m5`EVQN8bP+S3N&Z9|t5h zPz8R#36^HAOf3dFNM~Z8v8Qm@$7Ca0Ri6JA_w~ILSF8xje!loy=>vmrW{*AA=DTwy z{jr-0!u2;orb5hiM7Dx)WnvTKQiCSOg%i(O)H9|7S;-5SnHYr@0tv=NO^l%|O^ktI zuj>*v9l5S?i=i`8$gRIwPtr#v$#BonrOg`~=lO{ydtQi|-+$Hg!nCk6%!0lPQ>#B2 z+M6im*j>B1q*d=M)31$l?mRB4)vZ!`d1*@W^0!+ZB!jMIdEPF$6Phkkef9E$CW-1a zLD$Oq^{ZEB9K766dim*B$=yv+$$d=srK)oLf0~7Sdn{7>e11oz@O@D>-!3ch#fmc0 zd~42zG_5vnzkNA%b)|{g2TO13lFJS^mss`3o;|Kyc$D*rZDQ)}h-G}WJ{u!Nn5H>e z?kks@#?N{`PluITU*|w zXPkRh9`Zrgl=HV+P;~aj`GyrnkG7rq;%wcK?a*1&qI0Lg_Qnb?!>kx+B!JQr2y=r{ z!Q?y^cRwK@Pa&hHKIvS}!Th&(=iIMo;;K`c;_O@N`_4eiA^+66wKBhdfn1etN|^yjb(-k3CP)BcaMo(yankCSlqdC1Sdv4owqStKW0D z%=|euaJ{U#pz~a-@2^a~^mcCl{=kSaqp{jRX`98`sK52|Z14U1Bl&(slH=l|#|mER zzE+hIR%xu*>dsaCa&q(4`Jc>7RAyBg8D18Zv0Jrj?Ky$}`Uatrr=`~9xLkEQ8$BoV zwpOrNpp)88W?j`;@$)|K>kO^<_~4X*%;_|>`x{@K^Anbom~-Hm?8KnU_YLg$RxMx1 zoTPK_vyfyYo56$No_Y!IN2d%Qa!#?2G7IQiI{Q7N>94q7TV|YO`N(~T(SMCw=y!#$ zJ=(vP`fgqG|K@SY%Hy-Mzqe0c@isIv_xZLZpG5ZEORZh7!QW7oqj4#7l+W55Gc5QX z@w=Za4-t;22udui?%FF{HD|-O>5nG4#!s5{<(R(Xx0JPdq5Dp^?_g|qQ+>MdnCVFw j`LoB)CO&0s#`C0|Eg7qJjfK1cC!SA;EElE4u*$S`vQzr$N0!ZRGHtszf^`JCv%P zu6UaTFJ}(?k#RA7D*A^h6st157_7y%tyt|{ZlfRnx`Wbk>Qs)SK}qXuk;si^E#O@j zWmhO7)OHZLq$fXii&K?3180LAO{$WA8>MU3ConIEbuCs+g{kA?EJ<3&rKc@J!rOyV z<_%LuBoiEmvgZc5R)&gaskZA{>alDnIeFe4mwO$}sWa}n-Ti&=&b6{Pkz@T+aN<-U z9g~5OxCsoR!K&eAGe`=JhSijJceApn|QAfgPp zrTyWw2IWaP@#+4pqLZ>-Hnt>q$E>4kQ>@MjTus=93n`cX@ zbUH~84l1yi=n^>3LcD>HuCLM~4_C=DnCdi>l3~E>)@e7-TXrmhT2DXDQAD%!Knb2H z4?<%z4|iP~XP-j2-=B_uuA8xlHWxzil8VxXBeGq)&U8Zxj{y%yR0W3~YhbkyUyDXD z{E>Eaw%YTMn4DV|5Ae3LVd>pytE^Ccwi`L!sQthu@~0}*Gj!a9X|7Lol)A)|5*eVt zWqu$1QZBC)8#%U5DG}h?>1$R!Uq3_HMRfDf(Y}u`wV+zR;Fg?Qm%&nTU6zDlu9ueT zp$9k@6s|7h^qNW$|PE8uvi~ho;A?C zF;%a^eqN(M=>5y~wn|zV;POKGtbSkqq%^*hE(2RW7XSbN5c~k;KAJYZ_iR^$tyx=Y zl1%jQ%S`m})_kM*%K!iX0000e0000000000000001D#=l1DP;_1C^84137;KS}=kG zR-gj{0T-bI0s#S{f&)kdf&)ZewMJZjfOQrWzt8!ikw~@Uc12;gm8UY0G~G04UgbmP>Pt56xtBz^a<215-ZLG5Lg~wcMYg%3|8K zE*h{~Pj*;V(w#$S`v!#{wLAOQT?M?fU=RsKa>#&H`sm-5^PEJ*G z`bW9I2#q0{*E;Zf4=aC;YlPL;^95#Mgeab}ZrEElnfMeq|N7?$9tCWCZ$@AL@d0@7Yp94)mS|>IUU4bpI4t)DC<5x}*@q`@74$tgF*>xUK z_?6t@=SE2TJ)uf;NAhOB6_1A5yb=;nj|Y1oT-Z5;J!WzirmTOzg2X;-?@RuN=dyO( zmn>ShmuOAOdsY^aPkWUoMjs8O7E<+_F|sA0Iqs&^D~kr|CKQ#(Uch{i!xn-1U2YL3 zH{XI^FM&0o4G}dm1|JTU*smRR__2caPemJZ{Yv(XLZl&qImvbECo{c`sh$wlmH-b&8Lq?Y(My2< zz-nOYS`Qsq{Xqw5UQv27-S;WQcCd-Tf!G~_PT~{scQ|IPmZv@Ca kB94gkvcz(Ve)4|V9|Q|~x{|>v9(4sjU9$3i0RR9101)DL-v9sr diff --git a/bin/tests/system/tsiggss/tests.sh b/bin/tests/system/tsiggss/tests.sh index 32abb28f95..41995e1e92 100644 --- a/bin/tests/system/tsiggss/tests.sh +++ b/bin/tests/system/tsiggss/tests.sh @@ -15,6 +15,9 @@ . ../conf.sh +# Uncomment to regenerate credential caches after running krb5/setup.sh +# KRB5_CONFIG=$(pwd)/krb/krb5.conf + status=0 n=1