#!/bin/bash
# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# runtest.sh of /CoreOS/krb5/Sanity/inplace-upgrade-sanity-test
# Description: Verifies basic scenarios which should work after inplace upgrade.
# Author: Patrik Kis <pkis@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2014 Red Hat, Inc.
#
# This copyrighted material is made available to anyone wishing
# to use, modify, copy, or redistribute it subject to the terms
# and conditions of the GNU General Public License version 2.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public
# License along with this program; if not, write to the Free
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
# Boston, MA 02110-1301, USA.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Include Beaker environment
. /usr/bin/rhts-environment.sh
. /usr/share/beakerlib/beakerlib.sh || exit 1
PACKAGE="krb5"
PACKAGES="krb5-libs krb5-server krb5-workstation openssh"
TEST_ENTROPY_SOURCE=${TEST_ENTROPY_SOURCE:-no}
echo TEST_ENTROPY_SOURCE=$TEST_ENTROPY_SOURCE
krb5REALM1='TEST1.REDHAT.COM'
krb5REALM2='TEST2.REDHAT.COM'
krb5HostName=`hostname`
krb5DomainName=`hostname -d`
krb5User='alice'
krb5UserPass='alice'
krb5UserKrbPass='aaa'
krb5User2='bob'
krb5User3='carl'
krb5KDCPass='qwe'
krb5RootPass='rrr'
krb5conf="/etc/krb5.conf"
krb5confdir="/etc/krb5.conf.d"
krb5kdcconf="/var/kerberos/krb5kdc/kdc.conf"
krb5kadmacl="/var/kerberos/krb5kdc/kadm5.acl"
rlJournalStart
rlPhaseStartSetup
for pkg in $PACKAGES; do
rlAssertRpm $pkg
done
rlRun "TmpDir=\$(mktemp -d)"
rlRun "pushd $TmpDir"
echo "-----/etc/krb5.conf----"; cat /etc/krb5.conf
echo "-----/var/kerberos/krb5kdc/kdc.conf-----"; cat /var/kerberos/krb5kdc/kdc.conf
rlPhaseEnd
# Run this part on OLD and in "normal" mode
if [[ -z $IN_PLACE_UPGRADE || $IN_PLACE_UPGRADE == old ]]; then
rlPhaseStartSetup "KDC and kadmind setup"
# Stop and backup
rlRun "rlServiceStop kadmin krb5kdc"
rlRun "rm -f /var/kerberos/krb5kdc/principal* /var/kerberos/krb5kdc/.k5*"
rlFileBackup $krb5conf /var/kerberos/krb5kdc /etc/sysconfig/{kadmin,krb5kdc} /etc/hosts
rlFileBackup --clean /root/.k5login
[ -e /etc/krb5.keytab ] && rlFileBackup /etc/krb5.keytab
[ -e $krb5confdir ] && rlFileBackup $krb5confdir
# Make sure IPv4 is used for ssh connection
if ! grep `hostname` /etc/hosts; then
DEF_DEV=`ip route |grep default |awk '{print $5}'`
echo DEF_DEV=$DEF_DEV
DEF_IP=`ip -o -4 addr show dev $DEF_DEV |awk '{print $4}' |grep -v '/32' |sed 's|/.*||'`
echo DEF_IP=$DEF_IP
rlRun "echo '$DEF_IP `hostname`' >>/etc/hosts"
grep `hostname` /etc/hosts
fi
# Basic setup of KDC and krb5.conf
if rlIsRHEL 6; then
rlRun "sed -i \"s/EXAMPLE.COM/$krb5REALM1/\" $krb5conf"
rlRun "sed -i \"s/kerberos.example.com/$krb5HostName/\" $krb5conf"
rlRun "sed -i \"s/example.com/$krb5DomainName/\" $krb5conf"
else
rlRun "sed -i \"s/\[libdefaults\]/[libdefaults]\n default_realm = $krb5REALM1/\" $krb5conf"
rlRun "sed -i \"s/\[realms\]/[realms]\n $krb5REALM1 = {\n kdc = $krb5HostName\n admin_server = $krb5HostName\n }/\" $krb5conf"
rlRun "sed -i \"s/\[domain_realm\]/[domain_realm]\n .$krb5DomainName = $krb5REALM1\n $krb5DomainName = $krb5REALM1/\" $krb5conf"
fi
rlRun "sed -i s/EXAMPLE.COM/$krb5REALM1/ $krb5kdcconf"
# Configure the kadmin ACL
rlRun "echo \"*/master@$krb5REALM1 *\" > $krb5kadmacl"
# Configure the 2nd realmd
cat >>$krb5kdcconf <<_EOF
$krb5REALM2 = {
#master_key_type = aes256-cts
database_name = /var/kerberos/krb5kdc/principal.$krb5REALM1
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
_EOF
if rlIsRHEL '7'; then
rlLog "Modify supported_enctypes for RHEL-7."
rlRun "sed -i \"s/supported_enctypes.*/supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal/\" /var/kerberos/krb5kdc/kdc.conf"
# Remove 3DES and DES cipher suite from kdc.conf - Fedora 31
# Fedora 31 - krb5 will be removing support for DES, 3DES, and crc-32 entirely
# they will not be allowed in session keys or long-term keys. (BZ#1670398)
# https://fedoraproject.org/wiki/Changes/krb5_crypto_modernization
elif rlIsFedora '>=31';then
rlLog "Modify supported_enctypes for Fedora >=31. Remove *DES ciphers."
rlRun "sed -i \"s/supported_enctypes.*/supported_enctypes = aes256-cts:normal aes128-cts:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal/\" /var/kerberos/krb5kdc/kdc.conf"
elif rlIsRHEL '8' && [ `rpm -q --qf '%{VERSION}' krb5-server | cut -d"." -f2` -lt 18 ];then
rlLog "Modify supported_enctypes for RHEL-8."
rlRun "sed -i \"s/supported_enctypes.*/supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal/\" /var/kerberos/krb5kdc/kdc.conf"
else
#RHEL-8 Bug 1802334 - [Rebase] krb5: rebase to 1.18:
#- Removal of *DES encryption types
#https://bugzilla.redhat.com/show_bug.cgi?id=1802334
rlLog "Modify supported_enctypes for RHEL-8 with krb-1.18. Remove *DES ciphers."
rlRun "sed -i \"s/supported_enctypes.*/supported_enctypes = aes256-cts:normal aes128-cts:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal/\" /var/kerberos/krb5kdc/kdc.conf"
fi
rlRun "sed -i \"s/\[realms\]/[realms]\n $krb5REALM2 = {\n kdc = $krb5HostName\n admin_server = $krb5HostName\n }/\" $krb5conf"
cat >> $krb5conf << _EOF
[capaths]
$krb5REALM1 = {
$krb5REALM2 = .
}
_EOF
# BZ#1394908: Test the entropy source (not relevant for RHEL6)
if ! rlIsRHEL 6 && [[ $TEST_ENTROPY_SOURCE == 'yes' ]]; then
rlLog "BZ#1394908: The source of entropy will be tested as well"
# Check number of audit rules
number_rules=$(auditctl -l | grep -v "No rules" | wc -l)
if [[ ${number_rules} -ne 0 ]];then
truncate -s0 /var/log/audit/audit.log
rlRun "auditctl -D" 0 "Delete previous audit rules"
fi
START_DATE=`date +%H:%M:%S`
echo START_DATE=$START_DATE
sleep 1
rlRun "auditctl -w /dev/random -p rwxa -k RAND"
auditctl -l
sleep 5
rlRun "ausearch -i -k RAND -ts $START_DATE"
fi
echo "-----/etc/krb5.conf----"; cat /etc/krb5.conf
echo "-----/var/kerberos/krb5kdc/kdc.conf-----"; cat /var/kerberos/krb5kdc/kdc.conf
# Create the realm databases
rlRun "rngd -r /dev/urandom"
rlRun "kdb5_util create -s -r $krb5REALM1 -P $krb5KDCPass"
rlRun "kdb5_util create -s -r $krb5REALM2 -P $krb5KDCPass"
# Configure KDC to handle 2 realms
if rlIsRHEL 6; then
rlRun "echo \"KRB5REALM=$krb5REALM1\" > /etc/sysconfig/krb5kdc"
rlRun "echo KRB5KDC_ARGS=\\\"-r $krb5REALM2\\\" >> /etc/sysconfig/krb5kdc"
else
rlRun "echo KRB5KDC_ARGS=\\\"-r $krb5REALM1 -r $krb5REALM2 \\\" >/etc/sysconfig/krb5kdc"
fi
rlRun "rlServiceStart kadmin krb5kdc"
# Add krb5 principals for the 2nd realm
rlRun "kadmin.local -r $krb5REALM1 -q \"addprinc -pw $krb5RootPass root/master\""
rlRun "kadmin.local -r $krb5REALM1 -q \"addprinc -pw $krb5UserKrbPass $krb5User\""
rlRun "kadmin.local -r $krb5REALM1 -q \"addprinc -randkey host/$krb5HostName\""
rlRun "kadmin.local -r $krb5REALM1 -q \"ktadd host/$krb5HostName\""
rlRun "kadmin.local -r $krb5REALM1 -q \"addprinc -pw $krb5KDCPass krbtgt/$krb5REALM1@$krb5REALM2\""
rlRun "kadmin.local -r $krb5REALM1 -q \"addprinc -pw $krb5KDCPass krbtgt/$krb5REALM2@$krb5REALM1\""
# Add krb5 principals for the 2nd realm
rlRun "kadmin.local -r $krb5REALM2 -q \"addprinc -pw $krb5UserKrbPass $krb5User2\""
rlRun "kadmin.local -r $krb5REALM2 -q \"addprinc -randkey host/$krb5HostName\""
rlRun "kadmin.local -r $krb5REALM2 -q \"addprinc -pw $krb5KDCPass krbtgt/$krb5REALM1@$krb5REALM2\""
rlRun "kadmin.local -r $krb5REALM2 -q \"addprinc -pw $krb5KDCPass krbtgt/$krb5REALM2@$krb5REALM1\""
# Create test system user
[ $krb5User != "root" ] && rlRun "useradd $krb5User"
rlRun "echo $krb5UserPass | passwd --stdin $krb5User"
rlPhaseEnd
fi
rlPhaseStartTest "Daemon start and log file test"
# Make sure there is enough entropy and start recording of the logs
rlRun "rngd -r /dev/urandom"
if grep -q krb5kdc /var/log/krb5kdc.log; then
tail -n0 -f /var/log/krb5kdc.log &> krb5kdc.log.record &
KRB5KDC_LOG_PID=$!
echo "log_record_start: PID = $KRB5KDC_LOG_PID"
sleep 1
elif journalctl |grep -q krb5kdc; then
journalctl -f &> krb5kdc.log.record &
KRB5KDC_LOG_PID=$!
echo "log_record_start: PID = $KRB5KDC_LOG_PID"
sleep 1
else
rlFail "Could not find krb5kdc logs"
echo "journalctl:"
journalctl -n 100
ls -la /var/log/krb5kdc*
echo "/var/log/krb5kdc.log:"
tail -n 100 /var/log/krb5kdc.log
fi
if grep -q kadmind /var/log/kadmind.log; then
tail -n0 -f /var/log/kadmind.log &> kadmind.log.record &
KADMIND_LOG_PID=$!
echo "log_record_start: PID = $KADMIND_LOG_PID"
sleep 1
elif journalctl |grep -q kadmind; then
journalctl -f &> kadmind.log.record &
KADMIND_LOG_PID=$!
echo "log_record_start: PID = $KADMIND_LOG_PID"
sleep 1
else
rlFail "Could not find kadmind logs"
echo "journalctl:"
journalctl -n 100
ls -la /var/log/kadmind*
echo "/var/log/kadmind.log:"
tail -n 100 /var/log/kadmind.log
fi
#add 'list' privilege for root/master
sed -i -e '$a*/master@EXAMPLE.COM *' /var/kerberos/krb5kdc/kadm5.acl
# Restart daemon auto start
if rlIsRHEL 6; then
rlRun "service krb5kdc restart"
rlRun "service kadmin restart"
rlRun "service krb5kdc status"
rlRun "service kadmin status"
else
rlRun "systemctl restart krb5kdc.service"
rlRun "systemctl restart kadmin.service"
rlRun "systemctl --no-pager status krb5kdc.service"
rlRun "systemctl --no-pager status kadmin.service"
fi
rlRun "echo $krb5UserKrbPass |kinit $krb5User && klist"
rlRun "kdestroy"
rlRun "kadmin -p root/master -w rrr -q 'getprincs'"
rlAssertGrep "AS_REQ.*$krb5User@$krb5REALM1.*krbtgt/$krb5REALM1@$krb5REALM1" krb5kdc.log.record
#The principal related to kadmin are not created with hostname (kadmin/hostname@REALM) during creating krb5 DB
#RHEL9 constains only kadmin/admin@REALM - this change was intentional - Don't create hostbased principals in new KDBs
#https://krbdev.mit.edu/rt/Ticket/Display.html?id=8935
if rlIsRHEL 9 || rlIsFedora '>=33';then
kadmin_princ="Request: kadm5_init.*root/master@$krb5REALM1.*service=kadmin/admin@$krb5REALM1"
else
kadmin_princ="Request: kadm5_init.*root/master@$krb5REALM1.*service=kadmin/.*`hostname`@$krb5REALM1"
fi
rlAssertGrep "${kadmin_princ}" kadmind.log.record
#rlAssertGrep "Request: kadm5_init.*root\/master@$krb5REALM1.*service=kadmin\/(admin|.*`hostname`)@$krb5REALM1" kadmind.log.record -E
echo "***krb5kdc.log.record***" && cat krb5kdc.log.record
echo "***kadmind.log.record***" && cat kadmind.log.record
# Stop log recording
kill $KADMIND_LOG_PID
kill $KRB5KDC_LOG_PID
rlPhaseEnd
rlPhaseStartTest "SSH test"
cat > sshtest.exp <<'_EOF'
#!/usr/bin/expect -f
set USER [lindex $argv 0]
set HOST [lindex $argv 1]
set timeout 15
spawn ssh $USER@$HOST pwd
expect {
-re ".*(yes/no).*" { send -- "yes\r"; exp_continue }
-re ".*password:.*" { exit 1 }
"/home/$USER" { exit 0 }
timeout { exit 2 }
eof { exit 3 }
}
exit 4
_EOF
chmod 744 sshtest.exp
rlAssertExists sshtest.exp
rlRun "echo $krb5UserKrbPass |kinit $krb5User && klist"
rlRun "./sshtest.exp $krb5User $krb5HostName"; echo
rlRun "klist &>klist.log"
cat klist.log
rlAssertGrep "host/`hostname`@$krb5REALM1" klist.log
rlRun "kdestroy"
#BZ1841488-sshd cannot write into reply cache (/var/tmp/krb5_0.rcache2) due to security context
#The problem is that this file had security context: system_u:object_r:kadmind_tmp_t:s0.
#This is a problem when the ssh via krb5-GSSAPI is used because sshd service cannot write into this file.
if rlIsRHEL '>=8.3' || rlIsFedora '>=32'; then
rlLog "BZ1841488-sshd cannot write into reply cache (/var/tmp/krb5_0.rcache2) due to security context"
rlRun "sesearch -s sshd_t -t kadmind_tmp_t -c file -p write --allow | grep ^allow"
fi
rlPhaseEnd
rlPhaseStartTest "Basic kadmin and kpasswd test"
rlRun "kadmin.local -q \"listprincs\" |grep -v Authenticating >lplocal"
rlRun "kadmin -p root/master -w $krb5RootPass -q \"listprincs\" |grep -v Authenticating >lpremote"
rlAssertNotDiffer lplocal lpremote || diff -u lplocal lpremote
diff lplocal lpremote
rlRun "kadmin -p root/master -w $krb5RootPass -q \"addprinc -pw $krb5User2 $krb5User2@$krb5REALM1\""
rlRun "kadmin -p root/master -w $krb5RootPass -q \"listprincs\" | grep \"$krb5User2@$krb5REALM1\""
rlRun "echo $krb5User2 | kinit $krb5User2"
rlRun "echo -e \"$krb5User2\nqwerty\nqwerty\" | kpasswd &>kpasswd.log"
cat kpasswd.log
rlAssertGrep "Password changed." kpasswd.log
rlRun "echo qwerty | kinit $krb5User2"
rlRun "kdestroy"
rlRun "kadmin -p root/master -w $krb5RootPass -q \"delprinc -force $krb5User2@$krb5REALM1\""
rlPhaseEnd
rlPhaseStartTest "Basic ksu test"
[[ -f /root/.k5login ]] && rlRun "mv /root/.k5login ."
rlRun "echo $krb5User@$krb5REALM1 > /root/.k5login"
rlRun "su - $krb5User -c \"echo $krb5UserKrbPass | kinit $krb5User\""
rlRun "su - $krb5User -c \"ksu -e /usr/bin/id\" &> ksu.log"
cat ksu.log
rlAssertGrep "^uid=0(root) gid=0(root)" ksu.log
rlRun "su - $krb5User -c kdestroy"
[[ -f .k5login ]] && rlRun "mv .k5login /root/.k5login"
rlPhaseEnd
rlPhaseStartTest "Cross realm test"
rlRun "echo $krb5UserKrbPass |kinit $krb5User && klist"
rlRun "kvno host/`hostname`@$krb5REALM2"
rlRun "klist &>klist.log"
cat klist.log
rlAssertGrep "krbtgt/$krb5REALM1@$krb5REALM1" klist.log
rlAssertGrep "krbtgt/$krb5REALM2@$krb5REALM1" klist.log
rlAssertGrep "host/`hostname`@$krb5REALM2" klist.log
rlRun "kdestroy"
rlPhaseEnd
# BZ#1394908: Test the entropy source (not relevant for RHEL6)
if ! rlIsRHEL 6 && [[ $TEST_ENTROPY_SOURCE == 'yes' ]]; then
rlPhaseStartTest "BZ#1394908: Enable faster getrandom-based entropy system"
echo START_DATE=$START_DATE
auditctl -l
sleep 5
rlRun "ausearch -i -k RAND -ts $START_DATE"
rlRun "ausearch -i -k RAND -ts $START_DATE |grep comm= | grep -v comm=auditctl |grep -v 'comm=rngd'" 1
rlRun "auditctl -D"
rlPhaseEnd
fi
# Run this part on "normal" mode; in inplace upgrade no cleanup is needed
if [[ -z $IN_PLACE_UPGRADE ]]; then
rlPhaseStartCleanup "KDC and kadmind cleanup"
rlRun "rm -rf /var/kerberos/krb5kdc/* /var/kerberos/krb5kdc/.k5* /etc/krb5* /etc/sysconfig/{kadmin,krb5kdc}"
rlFileRestore
rlRun "rlServiceRestore krb5kdc kadmin"
[ $krb5User != "root" ] && rlRun "userdel -r -f $krb5User"
rlPhaseEnd
fi
rlPhaseStartCleanup
rlRun "kdestroy -A"
rlRun "popd"
rlRun "rm -r $TmpDir"
rlPhaseEnd
rlJournalPrintText
rlJournalEnd