Add full CI testing of MIT Kerberos

author Russ Allbery <rra@debian.org>

Sun, 29 Mar 2020 02:27:29 +0000 (19:27 -0700)

committer Russ Allbery <rra@debian.org>

Sun, 29 Mar 2020 03:26:53 +0000 (20:26 -0700)
author Russ Allbery <rra@debian.org>
Sun, 29 Mar 2020 02:27:29 +0000 (19:27 -0700)
committer Russ Allbery <rra@debian.org>
Sun, 29 Mar 2020 03:26:53 +0000 (20:26 -0700)
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml

index e8e23d383e9c5c1b44784c17fc540e242f5265f9..fc975f7e1699e38234db5961d4beff76e0ed1a4c 100644 (file)
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -32,6 +32,9 @@ jobs:
        - uses: actions/checkout@v2
        - name: install
          run: sudo ci/install
+      - name: kdc-setup-mit
+        run: sudo ci/kdc-setup-mit
+        if: matrix.kerberos == 'mit'
        - name: kdc-setup-heimdal
          run: sudo ci/kdc-setup-heimdal
          if: matrix.kerberos == 'heimdal'
diff --git a/ci/files/mit/extensions.client b/ci/files/mit/extensions.client

new file mode 100644 (file)

index 0000000..5a1bbc2
--- /dev/null
+++ b/ci/files/mit/extensions.client
@@ -0,0 +1,19 @@
+[client_cert]
+basicConstraints=CA:FALSE
+keyUsage=digitalSignature,keyEncipherment,keyAgreement
+extendedKeyUsage=1.3.6.1.5.2.3.4
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+issuerAltName=issuer:copy
+subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ_name
+
+[princ_name]
+realm=EXP:0,GeneralString:${ENV::REALM}
+principal_name=EXP:1,SEQUENCE:principal_seq
+
+[principal_seq]
+name_type=EXP:0,INTEGER:1
+name_string=EXP:1,SEQUENCE:principals
+
+[principals]
+princ1=GeneralString:${ENV::CLIENT}
diff --git a/ci/files/mit/extensions.kdc b/ci/files/mit/extensions.kdc

new file mode 100644 (file)

index 0000000..cbff73b
--- /dev/null
+++ b/ci/files/mit/extensions.kdc
@@ -0,0 +1,20 @@
+[kdc_cert]
+basicConstraints=CA:FALSE
+keyUsage=nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
+extendedKeyUsage=1.3.6.1.5.2.3.5
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+issuerAltName=issuer:copy
+subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name
+
+[kdc_princ_name]
+realm=EXP:0,GeneralString:${ENV::REALM}
+principal_name=EXP:1,SEQUENCE:kdc_principal_seq
+
+[kdc_principal_seq]
+name_type=EXP:0,INTEGER:1
+name_string=EXP:1,SEQUENCE:kdc_principals
+
+[kdc_principals]
+princ1=GeneralString:krbtgt
+princ2=GeneralString:${ENV::REALM}
diff --git a/ci/files/mit/kadm5.acl b/ci/files/mit/kadm5.acl

new file mode 100644 (file)

index 0000000..652bbec
--- /dev/null
+++ b/ci/files/mit/kadm5.acl
@@ -0,0 +1 @@
+test/admin@MIT.TEST  mci  testuser@MIT.TEST
diff --git a/ci/files/mit/kdc.conf b/ci/files/mit/kdc.conf

new file mode 100644 (file)

index 0000000..7bf4e6a
--- /dev/null
+++ b/ci/files/mit/kdc.conf
@@ -0,0 +1,19 @@
+[kdcdefaults]
+    kdc_ports                   = 88
+    kdc_tcp_ports               = 88
+    restrict_anonymous_to_tgt   = true
+
+[realms]
+    MIT.TEST = {
+        database_name           = /var/lib/krb5kdc/principal
+        admin_keytab            = /var/lib/krb5kdc/kadm5.keytab
+        acl_file                = /etc/krb5kdc/kadm5.acl
+        key_stash_file          = /var/lib/krb5kdc/stash
+        max_life                = 1d 1h 0m 0s
+        max_renewable_life      = 7d 0h 0m 0s
+        master_key_type         = aes256-cts
+        supported_enctypes      = aes256-cts:normal
+        default_principal_flags = +preauth
+        pkinit_identity         = FILE:/var/lib/krb5kdc/kdc.pem,/var/lib/krb5kdc/kdckey.pem
+        pkinit_anchors          = FILE:/etc/krb5kdc/cacert.pem
+    }
diff --git a/ci/files/mit/krb5.conf b/ci/files/mit/krb5.conf

new file mode 100644 (file)

index 0000000..9b0d5ab
--- /dev/null
+++ b/ci/files/mit/krb5.conf
@@ -0,0 +1,19 @@
+[libdefaults]
+    default_realm         = MIT.TEST
+    dns_lookup_kdc        = false
+    dns_lookup_realm      = false
+    rdns                  = false
+    renew_lifetime        = 7d
+    ticket_lifetime       = 25h
+
+[realms]
+    MIT.TEST = {
+        kdc               = 127.0.0.1
+        master_kdc        = 127.0.0.1
+        admin_server      = 127.0.0.1
+        pkinit_anchors    = FILE:/etc/krb5kdc/cacert.pem
+    }
+
+[logging]
+    kdc                   = SYSLOG:NOTICE
+    default               = SYSLOG:NOTICE
diff --git a/ci/kdc-setup-heimdal b/ci/kdc-setup-heimdal

index 18036f2bcd0432292a0eb874b5baaeabc0150896..9d15b1a4a6de3c86c4c01506cb4a034f69134503 100755 (executable)
--- a/ci/kdc-setup-heimdal
+++ b/ci/kdc-setup-heimdal
@@ -1,6 +1,6 @@
  #!/bin/sh
  #
-# Build a Kerberos test realm.
+# Build a Kerberos test realm for Heimdal.
  #
  # This script automates the process of setting up a Kerberos test realm from
  # scratch suitable for testing pam-krb5.  It is primarily intended to be run
diff --git a/ci/kdc-setup-mit b/ci/kdc-setup-mit

new file mode 100755 (executable)

index 0000000..5a1ce36
--- /dev/null
+++ b/ci/kdc-setup-mit
@@ -0,0 +1,102 @@
+#!/bin/sh
+#
+# Build a Kerberos test realm for MIT Kerberos
+#
+# This script automates the process of setting up a Kerberos test realm from
+# scratch suitable for testing pam-krb5.  It is primarily intended to be run
+# from inside CI in a VM or container from the top of the pam-krb5 source
+# tree, and must be run as root.  It expects to be operating on the Debian
+# MIT Kerberos package.
+#
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+#
+# SPDX-License-Identifier: MIT
+
+set -eux
+
+# Install the KDC and the OpenSSL command line tool.
+apt-get install krb5-admin-server krb5-kdc krb5-pkinit openssl
+
+# Install its configuration files.
+cp ci/files/mit/extensions.client /etc/krb5kdc/extensions.client
+cp ci/files/mit/extensions.kdc /etc/krb5kdc/extensions.kdc
+cp ci/files/mit/kadm5.acl /etc/krb5kdc/kadm5.acl
+cp ci/files/mit/kdc.conf /etc/krb5kdc/kdc.conf
+cp ci/files/mit/krb5.conf /etc/krb5.conf
+
+# Add domain-realm mappings for the local host, since otherwise Heimdal and
+# MIT Kerberos may attempt to discover the realm of the local domain, and the
+# DNS server for GitHub Actions has a habit of just not responding and causing
+# the test to hang.
+cat <<EOF >>/etc/krb5.conf
+[domain_realm]
+    $(hostname -f) = HEIMDAL.TEST
+EOF
+
+# Create the basic KDC.
+kdb5_util create -s -P 'this is a test master database password'
+
+# Create and store the keytabs.
+kadmin.local -q 'add_principal +requires_preauth -randkey test/admin@MIT.TEST'
+kadmin.local -q 'ktadd -k tests/config/admin-keytab test/admin@MIT.TEST'
+kadmin.local -q 'add_principal +requires_preauth -randkey test/keytab@MIT.TEST'
+kadmin.local -q 'ktadd -k tests/config/keytab test/keytab@MIT.TEST'
+
+# Enable anonymous PKINIT.
+kadmin.local -q 'addprinc -randkey WELLKNOWN/ANONYMOUS'
+
+# Create a user principal with a known password.
+password="iceedKaicVevjunwiwyd"
+kadmin.local -q \
+    "add_principal +requires_preauth -pw $password testuser@MIT.TEST"
+echo 'testuser@MIT.TEST' >tests/config/password
+echo "$password" >>tests/config/password
+
+# Create the root CA for PKINIT.
+openssl genrsa -out /etc/krb5kdc/cakey.pem 2048
+openssl req -key /etc/krb5kdc/cakey.pem -new -x509 \
+    -out /etc/krb5kdc/cacert.pem -subj "/CN=MIT.TEST CA" -days 3650
+chmod 755 /etc/krb5kdc
+chmod 644 /etc/krb5kdc/cacert.pem
+
+# Create the certificate for the MIT Kerberos KDC.
+openssl genrsa -out /var/lib/krb5kdc/kdckey.pem 2048
+openssl req -new -out /var/lib/krb5kdc/kdc.req \
+    -key /var/lib/krb5kdc/kdckey.pem -subj "/CN=MIT.TEST"
+REALM=MIT.TEST openssl x509 -req -in /var/lib/krb5kdc/kdc.req   \
+    -CAkey /etc/krb5kdc/cakey.pem -CA /etc/krb5kdc/cacert.pem   \
+    -out /var/lib/krb5kdc/kdc.pem -days 365                     \
+    -extfile /etc/krb5kdc/extensions.kdc -extensions kdc_cert   \
+    -CAcreateserial
+rm /var/lib/krb5kdc/kdc.req
+
+# Create the certificate for the MIT Kerberos client.
+openssl genrsa -out clientkey.pem 2048
+openssl req -new -key clientkey.pem -out client.req \
+        -subj "/CN=testuser@MIT.TEST"
+REALM="MIT.TEST" CLIENT="testuser" openssl x509                         \
+    -CAkey /etc/krb5kdc/cakey.pem -CA /etc/krb5kdc/cacert.pem -req      \
+    -in client.req -extensions client_cert                              \
+    -extfile /etc/krb5kdc/extensions.client -days 365 -out client.pem
+cat client.pem clientkey.pem >tests/config/pkinit-cert
+rm clientkey.pem client.pem client.req
+echo 'testuser@MIT.TEST' >tests/config/pkinit-principal
+
+# Fix permissions on all the newly-created files.
+chmod 644 tests/config/*
+
+# Restart the MIT Kerberos KDC and services.
+systemctl stop krb5-kdc krb5-admin-server
+systemctl start krb5-kdc krb5-admin-server
+
+# Ensure that the KDC is running.
+for n in $(seq 1 5); do
+    if echo "$password" | kinit testuser@MIT.TEST; then
+        break
+    fi
+    sleep 1
+done
+klist
+kdestroy
+kinit -n @MIT.TEST
+kinit -X X509_user_identity=FILE:tests/config/pkinit-cert testuser@MIT.TEST
author	Russ Allbery <rra@debian.org>
	Sun, 29 Mar 2020 02:27:29 +0000 (19:27 -0700)
committer	Russ Allbery <rra@debian.org>
	Sun, 29 Mar 2020 03:26:53 +0000 (20:26 -0700)
.github/workflows/build.yaml		patch \| blob \| history
ci/files/mit/extensions.client	[new file with mode: 0644]	patch \| blob
ci/files/mit/extensions.kdc	[new file with mode: 0644]	patch \| blob
ci/files/mit/kadm5.acl	[new file with mode: 0644]	patch \| blob
ci/files/mit/kdc.conf	[new file with mode: 0644]	patch \| blob
ci/files/mit/krb5.conf	[new file with mode: 0644]	patch \| blob
ci/kdc-setup-heimdal		patch \| blob \| history
ci/kdc-setup-mit	[new file with mode: 0755]	patch \| blob