Document the test suite configuration files required to run the PKINIT
tests.
+ Fix expired password tests to work with Heimdal 7.0.1 and later.
+
Rename the script to bootstrap from a Git checkout to bootstrap,
matching the emerging consensus in the Autoconf world.
krb5_get_init_creds_opt_set_pa \
krb5_init_secure_context \
krb5_principal_get_realm \
+ krb5_principal_set_comp_string \
krb5_set_password \
krb5_set_trace_filename \
krb5_verify_init_creds_opt_init \
# Test default handling of expired passwords. -*- conf -*-
#
# Written by Russ Allbery <eagle@eyrie.org>
-# Copyright 2014 Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2017 Russ Allbery <eagle@eyrie.org>
# Copyright 2010, 2011
# The Board of Trustees of the Leland Stanford Junior University
#
[prompts]
echo_off = Password: |%p
+ info = Password has expired
info = Your password will expire at %1
info = Changing password
echo_off = New password: |%n
# Test default handling of expired passwords. -*- conf -*-
#
# Written by Russ Allbery <eagle@eyrie.org>
-# Copyright 2014 Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2017 Russ Allbery <eagle@eyrie.org>
# Copyright 2010, 2011
# The Board of Trustees of the Leland Stanford Junior University
#
[prompts]
echo_off = Password: |%p
+ info = Password has expired
info = Your password will expire at %1
info = Changing password
echo_off = New password: |%n
--- /dev/null
+# Test default handling of expired passwords. -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010, 2011
+# The Board of Trustees of the Leland Stanford Junior University
+#
+# See LICENSE for licensing terms.
+
+[options]
+ auth = ignore_k5login
+ account = ignore_k5login
+ password = ignore_k5login
+
+[run]
+ authenticate = PAM_SUCCESS
+ acct_mgmt = PAM_SUCCESS
+ open_session = PAM_SUCCESS
+ close_session = PAM_SUCCESS
+
+[prompts]
+ echo_off = Password: |%p
+ info = Your password will expire at %1
+ info = Changing password
+ echo_off = New password: |%n
+ echo_off = Repeat new password: |%n
+ info = Success: Password changed
+
+[output]
+ INFO user %u authenticated as %0
--- /dev/null
+# Test default handling of expired passwords. -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010, 2011
+# The Board of Trustees of the Leland Stanford Junior University
+#
+# See LICENSE for licensing terms.
+
+[options]
+ auth = ignore_k5login debug
+ account = ignore_k5login debug
+ password = ignore_k5login debug
+ session = debug
+
+[run]
+ authenticate = PAM_SUCCESS
+ acct_mgmt = PAM_SUCCESS
+ open_session = PAM_SUCCESS
+ close_session = PAM_SUCCESS
+
+[prompts]
+ echo_off = Password: |%p
+ info = Your password will expire at %1
+ info = Changing password
+ echo_off = New password: |%n
+ echo_off = Repeat new password: |%n
+ info = Success: Password changed
+
+[output]
+ DEBUG pam_sm_authenticate: entry
+ DEBUG (user %u) attempting authentication as %0
+ INFO user %u authenticated as %0
+ DEBUG /^\(user %u\) temporarily storing credentials in /tmp/krb5cc_pam_/
+ DEBUG pam_sm_authenticate: exit (success)
+ DEBUG pam_sm_acct_mgmt: entry
+ DEBUG (user %u) retrieving principal from cache
+ DEBUG pam_sm_acct_mgmt: exit (success)
+ DEBUG pam_sm_open_session: entry
+ DEBUG /^\(user %u\) initializing ticket cache FILE:/tmp/krb5cc_/
+ DEBUG pam_sm_open_session: exit (success)
+ DEBUG pam_sm_close_session: entry
+ DEBUG pam_sm_close_session: exit (success)
plan_lazy();
- /* Default behavior. */
+ /*
+ * Default behavior. We have to distinguish between two versions of
+ * Heimdal for testing because the prompts changed substantially. Use the
+ * existence of krb5_principal_set_comp_string to distinguish because it
+ * was introduced at the same time.
+ */
#ifdef HAVE_KRB5_HEIMDAL
+# ifdef HAVE_KRB5_PRINCIPAL_SET_COMP_STRING
run_script("data/scripts/expired/basic-heimdal", &config);
config.newpass = krbconf->password;
config.password = newpass;
kerberos_expire_password(krbconf->userprinc, now);
run_script("data/scripts/expired/basic-heimdal-debug", &config);
+# else
+ run_script("data/scripts/expired/basic-heimdal-old", &config);
+ config.newpass = krbconf->password;
+ config.password = newpass;
+ kerberos_expire_password(krbconf->userprinc, now);
+ run_script("data/scripts/expired/basic-heimdal-old-debug", &config);
+# endif
#else
run_script("data/scripts/expired/basic-mit", &config);
config.newpass = krbconf->password;
run_script("data/scripts/expired/fail", &config);
run_script("data/scripts/expired/fail-debug", &config);
- /* Defer the error to the account management check. */
+ /*
+ * Defer the error to the account management check.
+ *
+ * Skip this check on Heimdal currently (Heimdal 7.4.0) because its
+ * implementation of krb5_get_init_creds_opt_set_change_password_prompt is
+ * incomplete. See <https://github.com/heimdal/heimdal/issues/322>.
+ */
+# ifdef HAVE_KRB5_HEIMDAL
+ skip_block(2, "deferring password changes broken in Heimdal");
+# else
config.newpass = newpass;
config.password = krbconf->password;
config.authtok = krbconf->password;
kerberos_expire_password(krbconf->userprinc, now);
- run_script("data/scripts/expired/defer", &config);
+ run_script("data/scripts/expired/defer-mit", &config);
config.newpass = krbconf->password;
config.password = newpass;
config.authtok = newpass;
kerberos_expire_password(krbconf->userprinc, now);
- run_script("data/scripts/expired/defer-debug", &config);
+ run_script("data/scripts/expired/defer-mit-debug", &config);
+# endif
#else /* !HAVE_KRB5_GET_INIT_CREDS_OPT_SET_CHANGE_PASSWORD_PROMPT */