--- /dev/null
+[client_cert]
+basicConstraints=CA:FALSE
+keyUsage=digitalSignature,keyEncipherment,keyAgreement
+extendedKeyUsage=1.3.6.1.5.2.3.4
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+issuerAltName=issuer:copy
+subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ_name
+
+[princ_name]
+realm=EXP:0,GeneralString:${ENV::REALM}
+principal_name=EXP:1,SEQUENCE:principal_seq
+
+[principal_seq]
+name_type=EXP:0,INTEGER:1
+name_string=EXP:1,SEQUENCE:principals
+
+[principals]
+princ1=GeneralString:${ENV::CLIENT}
--- /dev/null
+[kdc_cert]
+basicConstraints=CA:FALSE
+keyUsage=nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
+extendedKeyUsage=1.3.6.1.5.2.3.5
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+issuerAltName=issuer:copy
+subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name
+
+[kdc_princ_name]
+realm=EXP:0,GeneralString:${ENV::REALM}
+principal_name=EXP:1,SEQUENCE:kdc_principal_seq
+
+[kdc_principal_seq]
+name_type=EXP:0,INTEGER:1
+name_string=EXP:1,SEQUENCE:kdc_principals
+
+[kdc_principals]
+princ1=GeneralString:krbtgt
+princ2=GeneralString:${ENV::REALM}
--- /dev/null
+#!/bin/sh
+#
+# Build a Kerberos test realm for MIT Kerberos
+#
+# This script automates the process of setting up a Kerberos test realm from
+# scratch suitable for testing pam-krb5. It is primarily intended to be run
+# from inside CI in a VM or container from the top of the pam-krb5 source
+# tree, and must be run as root. It expects to be operating on the Debian
+# MIT Kerberos package.
+#
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+#
+# SPDX-License-Identifier: MIT
+
+set -eux
+
+# Install the KDC and the OpenSSL command line tool.
+apt-get install krb5-admin-server krb5-kdc krb5-pkinit openssl
+
+# Install its configuration files.
+cp ci/files/mit/extensions.client /etc/krb5kdc/extensions.client
+cp ci/files/mit/extensions.kdc /etc/krb5kdc/extensions.kdc
+cp ci/files/mit/kadm5.acl /etc/krb5kdc/kadm5.acl
+cp ci/files/mit/kdc.conf /etc/krb5kdc/kdc.conf
+cp ci/files/mit/krb5.conf /etc/krb5.conf
+
+# Add domain-realm mappings for the local host, since otherwise Heimdal and
+# MIT Kerberos may attempt to discover the realm of the local domain, and the
+# DNS server for GitHub Actions has a habit of just not responding and causing
+# the test to hang.
+cat <<EOF >>/etc/krb5.conf
+[domain_realm]
+ $(hostname -f) = HEIMDAL.TEST
+EOF
+
+# Create the basic KDC.
+kdb5_util create -s -P 'this is a test master database password'
+
+# Create and store the keytabs.
+kadmin.local -q 'add_principal +requires_preauth -randkey test/admin@MIT.TEST'
+kadmin.local -q 'ktadd -k tests/config/admin-keytab test/admin@MIT.TEST'
+kadmin.local -q 'add_principal +requires_preauth -randkey test/keytab@MIT.TEST'
+kadmin.local -q 'ktadd -k tests/config/keytab test/keytab@MIT.TEST'
+
+# Enable anonymous PKINIT.
+kadmin.local -q 'addprinc -randkey WELLKNOWN/ANONYMOUS'
+
+# Create a user principal with a known password.
+password="iceedKaicVevjunwiwyd"
+kadmin.local -q \
+ "add_principal +requires_preauth -pw $password testuser@MIT.TEST"
+echo 'testuser@MIT.TEST' >tests/config/password
+echo "$password" >>tests/config/password
+
+# Create the root CA for PKINIT.
+openssl genrsa -out /etc/krb5kdc/cakey.pem 2048
+openssl req -key /etc/krb5kdc/cakey.pem -new -x509 \
+ -out /etc/krb5kdc/cacert.pem -subj "/CN=MIT.TEST CA" -days 3650
+chmod 755 /etc/krb5kdc
+chmod 644 /etc/krb5kdc/cacert.pem
+
+# Create the certificate for the MIT Kerberos KDC.
+openssl genrsa -out /var/lib/krb5kdc/kdckey.pem 2048
+openssl req -new -out /var/lib/krb5kdc/kdc.req \
+ -key /var/lib/krb5kdc/kdckey.pem -subj "/CN=MIT.TEST"
+REALM=MIT.TEST openssl x509 -req -in /var/lib/krb5kdc/kdc.req \
+ -CAkey /etc/krb5kdc/cakey.pem -CA /etc/krb5kdc/cacert.pem \
+ -out /var/lib/krb5kdc/kdc.pem -days 365 \
+ -extfile /etc/krb5kdc/extensions.kdc -extensions kdc_cert \
+ -CAcreateserial
+rm /var/lib/krb5kdc/kdc.req
+
+# Create the certificate for the MIT Kerberos client.
+openssl genrsa -out clientkey.pem 2048
+openssl req -new -key clientkey.pem -out client.req \
+ -subj "/CN=testuser@MIT.TEST"
+REALM="MIT.TEST" CLIENT="testuser" openssl x509 \
+ -CAkey /etc/krb5kdc/cakey.pem -CA /etc/krb5kdc/cacert.pem -req \
+ -in client.req -extensions client_cert \
+ -extfile /etc/krb5kdc/extensions.client -days 365 -out client.pem
+cat client.pem clientkey.pem >tests/config/pkinit-cert
+rm clientkey.pem client.pem client.req
+echo 'testuser@MIT.TEST' >tests/config/pkinit-principal
+
+# Fix permissions on all the newly-created files.
+chmod 644 tests/config/*
+
+# Restart the MIT Kerberos KDC and services.
+systemctl stop krb5-kdc krb5-admin-server
+systemctl start krb5-kdc krb5-admin-server
+
+# Ensure that the KDC is running.
+for n in $(seq 1 5); do
+ if echo "$password" | kinit testuser@MIT.TEST; then
+ break
+ fi
+ sleep 1
+done
+klist
+kdestroy
+kinit -n @MIT.TEST
+kinit -X X509_user_identity=FILE:tests/config/pkinit-cert testuser@MIT.TEST